Zachary Amos, Features Editor of ReHack Magazine, distils information about PumaBot: what to know about this malware and how to protect yourself
Britain’s CCTV cameras, smart metres and streetlight controllers are lucrative stepping-stones for cyber criminals. A fresh malware strain dubbed PumaBot is turning poorly secured Internet of Things (IoT) hardware into a hire-on-demand attack force. Here’s what every device maker and integrator needs to know to keep customers — and reputations — intact.
What Is PumaBot?
First identified by Darktrace analysts in May 2025, PumaBot is a Go-written Linux botnet that targets embedded devices such as IP cameras and DVRs running cut-down distributions of OpenWrt or BusyBox.
Unlike Mirai-style worms that sweep the entire Internet, PumaBot retrieves a curated IP list from its command-and-control (C2) server, then brute-forces SSH logins to gain entry and plant a persistent systemd service. The malware’s name stems from a telltale code check for Pumatronix — a Brazilian camera brand — hinting at a surveillance-device focus.
How PumaBot operates
PumaBot’s life cycle can be distilled into three technical phases:
- Reconnaissance via the C2 list: the bot calls getIPs() to fetch targets and — having avoided noisy mass scans — slips below most intrusion-detection thresholds
- Rapid credential spraying: the bot hammers port 22 with username-password pairs supplied by the C2 — completing a burst in seconds to dodge rate-limit alarms
- Modular payload delivery: once rooted, the loader fingerprints the host and pulls the best-fit module — a crypto-miner, DDoS binary or data-exfiltration tool. Because modules ship separately, signature-based antivirus struggles to keep up.
Recent PumaBot attacks in the UK
Dark Reading records “tens of thousands” of compromised cameras assembled within a week — generating 80 Gbit/s UDP floods against European gaming servers. The UK’s National Cyber Security Centre confirms the direction of travel. Its 2024 annual review logged 430 serious incidents, mostly linked to vulnerable Edge devices — a 16% rise from the previous year.
Data breaches compromise privacy and can cause devastating financial losses. Researchers from the Ponemon Institute and IBM place the average breach cost at $4.24 million, with finance, healthcare, technology and energy companies hit the hardest.
Verizon’s 2025 Data Breach Investigations Report adds further context — breaches involving third-party components have doubled to 30%, and the exploitation of unpatched vulnerabilities has surged by 34%. Credential abuse remains the top entry vector at 22%. PumaBot’s SSH-spraying playbook aligns squarely with those statistics.
Defensive priorities for UK manufacturers
Putting PumaBot on the back foot demands changes in both engineering practice and life cycle management. Two things set the stage — the Product Security and Telecommunications Infrastructure (PSTI) Act of 2024 now requires vendors to build in “secure by default” protocols, and customers are beginning to factor cyber-hygiene into purchasing decisions.
Key measures to embed during the design process and after shipment include:
- Securing boot plus signed firmware updates: this blocks rogue binaries and stops the malware from reestablishing after rebooting
- Assigning unique credentials at first boot: default admin/admin pairs make attacks easier for bot-herders
- Restricting SSH configuration: enforce key-based logins, disable root access and throttle connection attempts to blunt PumaBot’s spray-and-pray tactics
- Detailing software bill of materials (SBOM) with automated CVE alerts: knowing precisely which libraries ship on the device accelerates patch rollouts when new flaws come up
- Setting up over-the-air update channels: customers patch faster when fixes arrive with a single click rather than manual downloads.
Each of these controls pays off quickly — brands avoid the reputational hit of public hijacks, retailers sidestep expensive recalls and PSTI penalties stay off the company balance sheet.
Stronger defences vs. PumaBot start now
PumaBot thrives on weak passwords and stagnant firmware. By hardening authentication, adopting signed updates and monitoring fleets in the field, UK manufacturers can turn their products from soft targets into hardened assets — sparing end users and the broader economy from the mounting costs of botnet-driven disruption.
Zac Amos is a freelance tech writer who specialises in IoT, cybersecurity, and automation. He is also the Features Editor at ReHack Magazine. Follow him on LinkedIn.
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by visiting our LinkedIn page.