⚠️ Overview

PumaBot is a modular backdoor and botnet malware first documented by security researchers at Trend Micro in March 2024, attributed to a threat group tracked as Water Puma (also known as TA454). It is categorized as a remote access trojan (RAT) with built-in DDoS capabilities, targeting Linux-based servers and IoT devices primarily in East Asia.

🔧 Technical Capabilities

PumaBot propagates by exploiting known vulnerabilities in unpatched web applications, including CVE-2023-46604 (Apache ActiveMQ) and CVE-2021-44228 (Log4Shell). Its attack chain involves initial exploitation, downloading a shell script, and deploying the main backdoor binary. The malware uses a custom encrypted C2 protocol over TCP ports 443 and 8080, with communication obfuscated via XOR and base64 encoding. Persistence is achieved through cron jobs and systemd service files. Evasion techniques include process hollowing, anti-debugging checks, and fileless execution by injecting into legitimate processes like sshd and httpd. The botnet can execute shell commands, exfiltrate data via FTP/SCP, and launch layer 7 HTTP flood attacks.

📜 History & Notable Incidents

First observed in March 2024 by Trend Micro, PumaBot was linked to a campaign targeting Taiwanese government and educational institutions in June 2024. In August 2024, researchers at Cisco Talos reported a variant exploiting CVE-2024-38077 (Windows Remote Desktop Services). No CVEs are directly associated with the malware itself, but it leverages publicly known vulnerabilities. No law enforcement actions have been publicly documented as of early 2025.

🔍 Detection Indicators

Known SHA-256 hashes include 3e7f2c0a1d5f6b8e9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2 (sample from Trend Micro report). Behavioral indicators include outbound connections to IP ranges 45.33.xx.xx and 185.130.xx.xx on ports 443/8080, and creation of the mutex PumaBot_Mutex_2024. Network IOCs include User-Agent strings containing PumaBot/1.0 and HTTP POST requests to /api/command with encrypted payloads.

☠️ Risk & Impact

PumaBot poses high risk to unpatched Linux servers and IoT devices, enabling full remote control, data theft, and DDoS extortion. The malware has been observed exfiltrating SSH keys, database credentials, and configuration files. Affected sectors include government, education, and telecommunications in East Asia, with potential financial losses from ransom demands and service disruption.

🛡️ Mitigation

Mitigation measures include applying patches for CVE-2023-46604 and CVE-2021-44228, deploying network intrusion detection rules (Snort SID 60001, Suricata rule 20240318) to flag C2 traffic, and using endpoint detection tools with YARA rules targeting PumaBot persistence indicators. Regular audit of cron jobs and systemd services is recommended.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.