A new malware strain known as PumaBot is targeting Internet of Things (IoT) devices by launching aggressive SSH brute-force attacks. The malware is designed to gain long-term control over vulnerable devices and integrate them into a growing global botnet.
PumaBot was first detected in late 2024. It primarily targets devices like IP cameras, routers, and industrial systems that use default or weak SSH credentials. The malware scans networks, identifies exposed SSH services, and attempts to break in using a large set of username and password combinations.
Advanced Malware Capabilities
Cybersecurity analysts at DARKTRACE discovered PumaBot during regular threat hunting operations. Unlike many earlier IoT malware strains, PumaBot uses advanced evasion and persistence techniques, including:
- Process name obfuscation
- Memory-only execution stages
- Dynamic command-and-control (C2) server rotation
Once a device is compromised, PumaBot sets up persistent backdoors. It can then launch DDoS attacks, mine cryptocurrency, and move laterally through connected enterprise networks. This poses a serious risk to large IoT deployments, where one weak device can compromise the entire system.
Security experts estimate that tens of thousands of devices worldwide have already been infected, especially in regions with high IoT usage and weak security standards. The malware’s ability to survive reboots and firmware updates makes it difficult to remove without full device reimaging and password rotation.
SSH Brute-Force and Persistent Access
PumaBot’s main method of attack involves scanning IP ranges and testing SSH ports (usually port 22). It then launches dictionary-based attacks using over 50,000 credential pairs, many of which are default or common combinations.
The following Python snippet shows its basic brute-force logic:
def ssh_bruteforce(target_ip, port=22):
for username, password in credential_pairs:
try:
ssh_client = paramiko.SSHClient()
ssh_client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh_client.connect(target_ip, port, username, password, timeout=10)
return establish_persistence(ssh_client, target_ip)
except paramiko.AuthenticationException:
continue
except Exception as e:
break
return False
Once access is gained, PumaBot installs multiple layers of persistence. It creates hidden services, modifies startup scripts, and adds cron jobs to ensure the malware runs after each reboot.
The malware also injects SSH keys into the authorized_keys file, allowing password-free remote access in the future. A built-in watchdog system monitors for deletion attempts and automatically reinstalls the malware if it is removed. This makes the infection extremely difficult to eradicate.
Security Implications and Response
PumaBot’s ability to hide in memory and survive system resets marks a new level of threat in the IoT malware space. Its advanced persistence mechanisms and stealth tactics make traditional cleanup methods ineffective.
Experts recommend the following to defend against PumaBot:
- Disable SSH access on IoT devices unless necessary
- Use strong, unique passwords
- Change default credentials immediately after setup
- Regularly update firmware
- Monitor network traffic for unusual SSH activity
As the number of connected devices continues to grow, the risks posed by malware like PumaBot highlight the urgent need for stronger IoT security practices across all industries.
