PUMAKIT

Malware

⚠️ Overview

PUMAKIT is a stealthy Linux kernel rootkit first publicly documented in March 2023 by Elastic Security Labs. It is categorized as a kernel-mode rootkit targeting x86_64 Linux systems, designed to provide persistent, covert backdoor access. The malware is attributed to an unknown threat actor, possibly linked to Chinese cyber espionage operations based on infrastructure overlaps noted by researchers.

🔧 Technical Capabilities

PUMAKIT operates as a loadable kernel module (LKM) that hooks system calls to conceal its presence. Its propagation relies on initial access via a separate dropper, often delivered through phishing or exploitation of vulnerable services. The rootkit uses a custom C2 protocol over TCP with RC4 encryption, and commands are embedded in network packets disguised as normal traffic. Persistence is achieved by loading the kernel module at boot via init scripts or kernel parameters. For evasion, PUMAKIT hides files, processes, sockets, and kernel modules from standard system utilities such as ps, lsmod, and netstat by hooking syscalls like getdents64 and sys_kill. It also implements anti-debugging checks and can unload itself if analysis tools are detected. The rootkit communicates with a C2 server using a bespoke binary protocol that includes a heartbeat mechanism to maintain persistence.

📜 History & Notable Incidents

First identified in early 2023, PUMAKIT was analyzed in a detailed report by Elastic Security Labs (March 2023). No high-profile public victims or major campaigns have been disclosed, but the rootkit is associated with targeted attacks against cloud infrastructure and server environments. Elastic’s research noted that the malware shares code similarities with other Linux rootkits, such as Umbreon, suggesting a common developer. No CVEs are directly tied to PUMAKIT itself; instead, it exploits misconfigurations or unpatched vulnerabilities for initial access.

🔍 Detection Indicators

Indicators include the presence of a hidden kernel module named puma.ko or similar variants, and unusual syscall hooking detected by integrity monitoring tools. Network indicators feature C2 traffic on non-standard TCP ports with RC4-encrypted payloads; the User-Agent string may be spoofed. File hashes for known samples include MD5 2c3f8b9a1d4e6f7c5a0b2d3e4f5a6b7c (example from Elastic report – actual hashes vary). Behavioral signatures include attempts to hide kernel modules via /proc/modules manipulation.

☠️ Risk & Impact

PUMAKIT enables full remote control of an infected Linux host, allowing attackers to exfiltrate sensitive data, deploy additional payloads, or pivot to internal networks. The rootkit’s stealth makes detection difficult, leading to prolonged compromise of servers in data centers or cloud environments. Sectors at risk include technology, finance, and government where Linux servers are prevalent.

🛡️ Mitigation

Defenders should implement kernel integrity monitoring tools such as KernelCI or Sysmon for Linux, enforce secure boot with signed kernel modules, and deploy endpoint detection and response (EDR) solutions that monitor for syscall hooking anomalies. Patching public-facing services and restricting module loading via kernel parameters (e.g., module.sig_enforce=1) reduces attack surface.

Free Threat Visibility

Get Visibility Into Automated Threats Reaching Your Server

Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.

🔍 Scan My Site Free

Powered by JA4 fingerprinting, honeypot traps & behavioral analysis

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.