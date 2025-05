Internet of Things devices running on Linux have been targeted by the newly emergent PumaBot botnet in SSH brute-force attacks, according to Security Affairs After brute-forcing SSH credentials from retrieved IPs, the Go-based PumaBot botnet distributes itself and gathers system information while concealing its presence with a bogus systemd service before executing the XMRig cryptominer and the ddaemon and networkxm binaries, a report from Darktrace showed. Further analysis revealed PumaBot to be tracking traffic cameras and surveillance systems produced by Pumatronix, as well as conducting environment fingerprinting checks to bypass honeypots. "While [PumaBot] does not appear to propagate automatically like a traditional worm, it does maintain worm-like behavior by brute-forcing targets, suggesting a semi-automated botnet campaign focused on device compromise and long-term access," said Darktrace researchers, who urged organizations to defend themselves from the botnet by performing regular systemd service audits, tracking atypical SSH login patterns, and restricting port 22 exposure.