Systemd as a Weapon: How PumaBot Exploits Linux Persistence

Follow Us on Your Favorite Podcast Platform

Linux systems are under siege—particularly in the world of IoT and internet-exposed servers. In this episode, we dissect PumaBot, a new GoLang-based botnet that’s turning Linux IoT devices into cryptomining workhorses. We’ll break down how attackers brute-force SSH credentials, install malware disguised as legitimate services, and use systemd for stealthy persistence.

We dive deep into ATT&CK technique T1501, where systemd services like redis.service or mysqI.service are hijacked or maliciously created to ensure malware survives system reboots. You’ll learn how adversaries leverage GoLang’s cross-platform strengths and embed rootkits like pam_unix.so to capture credentials, all while evading detection with environment fingerprinting.

We also explore the broader implications: how cryptojacking continues to rise, what SSH brute-forcing says about current security hygiene, and why IoT devices remain a weak link in enterprise infrastructure. If you manage Linux systems or deploy connected devices, this episode is your tactical briefing on the latest threats—and what to look out for before your CPU cycles are stolen for someone else’s crypto wallet.

Related Posts