Defeating Pumabot: How Check Point Quantum Iot Protect Nano Agent Shields Surveillance Devices
checkpoint, June 23,2025
Darktrace researchers have identified PumaBot, a Go-based Linux botnet that focuses on embedded surveillance cameras and other IoT devices.
Unlike spray-and-pray botnets that scan the whole internet, PumaBot pulls a curated IP list from its C2 and then brute-forces SSH logins on port 22 until it gets a shell. Once in, it drops its payload under /lib, registers a rogue systemd service, injects a back-door key into ~/.ssh/authorized_keys, and can fetch further modules via the same C2 channel.