Pulse Detail — Threat Intelligence

PULSE NAME

PumaBot: Novel Botnet Targeting IoT Surveillance Devices

WHITE CyberHunter_NL 2025-06-04 Modified: 2025-06-04

IOCs

MEDIUM VOLUME

Darktrace has been named the world's leading provider of advanced network detection and response (SOC) for the next five years, with a global presence of more than 1.5 million customers.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1003 T1082 T1033 T1059 T1102 T1105 T1014 T1036 T1071 T1543 T1110

MALWARE FAMILIES

Linux JSON Ddaemon

Indicators of Compromise (50)

All URL hostname FileHash-MD5 FileHash-SHA1 FileHash-SHA256 YARA domain email

TYPE	INDICATOR	DESCRIPTION	CREATED
URL	http://1.lusyn.xyz/jc/aa	—	2025-06-04
URL	http://1.lusyn.xyz/jc/cs	—	2025-06-04
hostname	1.lusyn.xyz	—	2025-06-04
URL	http://1.lusyn.xyz	—	2025-06-04
URL	https://db.17kp.xyz/	5fd55da8747d933410bb637571802aca2eedf3314039722e2b9d6f37afdad97e	2025-06-04
URL	https://dow.17kp.xyz/	—	2025-06-04
URL	https://pumatronix.com/	—	2025-06-04
FileHash-MD5	0e455e06315b9184d2e64dd220491f7e	—	2025-06-04
FileHash-MD5	1bd6bcd480463b6137179bc703f49545	—	2025-06-04
FileHash-MD5	48ee40c40fa320d5d5f8fc0359aa96f3	—	2025-06-04
FileHash-MD5	8b37d3a479d1921580981f325f13780c	—	2025-06-04
FileHash-MD5	a9412371dc9247aa50ab3a9425b3e8ba	—	2025-06-04
FileHash-MD5	be83729e943d8d0a35665f55358bdf88	—	2025-06-04
FileHash-MD5	cab6f908f4dedcdaedcdd07fdc0a8e38	—	2025-06-04
FileHash-MD5	cb4011921894195bcffcdf4edce97135	—	2025-06-04
FileHash-SHA1	158f869a1ae3aa2a3586920e788a9110b7495b9d	SHA1 of 1bd6bcd480463b6137179bc703f49545	2025-06-04
FileHash-SHA1	1d6f623aa4ccb3ba89c19a1479a84067ada38f32	SHA1 of be83729e943d8d0a35665f55358bdf88	2025-06-04
FileHash-SHA1	2c54bfe5145be3d28f5899962f5c570a34de15fb	SHA1 of a9412371dc9247aa50ab3a9425b3e8ba	2025-06-04
FileHash-SHA1	5a1448bb86d5658f396c463f08774fdf171245e6	SHA1 of 0e455e06315b9184d2e64dd220491f7e	2025-06-04
FileHash-SHA1	6710f3847b805a75eab797959094acaeaa29d6aa	SHA1 of cb4011921894195bcffcdf4edce97135	2025-06-04
FileHash-SHA1	a85c6874884f7d6df2587fd51f65ff7593569683	SHA1 of 48ee40c40fa320d5d5f8fc0359aa96f3	2025-06-04
FileHash-SHA1	c39c96dc5c1e640d081da30cf8f0638689700483	SHA1 of cab6f908f4dedcdaedcdd07fdc0a8e38	2025-06-04
FileHash-SHA256	0957884a5864deb4389da3b68d3d2a139b565241da3bb7b9c4a51c9f83b0f838	SHA256 of 1bd6bcd480463b6137179bc703f49545	2025-06-04
FileHash-SHA256	426276a76f20b823e896e3c08f1c42f3d15a91a55c3613c7b3bdfbef0bbed9a9	SHA256 of 0e455e06315b9184d2e64dd220491f7e	2025-06-04
FileHash-SHA256	6838d819b5588cd4b0a52c21d02cbf305005fc31bc0e6709d24223a0f6dfb249	SHA256 of be83729e943d8d0a35665f55358bdf88	2025-06-04
FileHash-SHA256	7c59d3e325ad6c6d85e3b4c457c8f816eb437e5e98a63584f5eb7a39e33a5f40	SHA256 of cb4011921894195bcffcdf4edce97135	2025-06-04
FileHash-SHA256	a5125945d7489d61155723259990c168db01dfedcd76a2e1ba08caa3c4532ca3	SHA256 of cab6f908f4dedcdaedcdd07fdc0a8e38	2025-06-04
FileHash-SHA256	ab50b0b9d5c9739383ce6178b258af10b116299ecb3319bbfb94f27d6f7b1b01	SHA256 of a9412371dc9247aa50ab3a9425b3e8ba	2025-06-04
FileHash-SHA256	f8c75077c3e3c97314c729a7a5fe97b1d2868a94632a351ba3985f0cf66c09d7	SHA256 of 48ee40c40fa320d5d5f8fc0359aa96f3	2025-06-04
URL	http://1.lusyn.xyz/jc/1	7c59d3e325ad6c6d85e3b4c457c8f816eb437e5e98a63584f5eb7a39e33a5f40	2025-06-04
URL	http://1.lusyn.xyz/jc/jc.sh	4dadac588a3df364447dc24629850599d65afbfacff1a2bf85576211deb3d3db	2025-06-04
URL	http://dasfsdfsdfsdfasfgbczxxc.lusyn.xyz/api	—	2025-06-04
URL	http://dasfsdfsdfsdfasfgbczxxc.lusyn.xyz/api/	—	2025-06-04
URL	http://dasfsdfsdfsdfasfgbczxxc.lusyn.xyz/jc	25fb23868ebf48348f9e438e00cb9b9d9b3a054f32482a781c762cc4f9cc6393	2025-06-04
URL	http://dasfsdfsdfsdfasfgbczxxc.lusyn.xyz/jc/1.	—	2025-06-04
URL	http://db.17kp.xyz/getDdaemonMd5	—	2025-06-04
URL	http://ssh.ddos-cc.org:55554	—	2025-06-04
URL	http://ssh.ddos-cc.org:55554/get_cmd	—	2025-06-04
URL	http://ssh.ddos-cc.org:55554/log_success	—	2025-06-04
URL	http://ssh.ddos-cc.org:55554/pwd.txt	—	2025-06-04
URL	https://input.17kp.xyz/	—	2025-06-04
YARA	f540f7af0ba3995c2a35f623b83737456c93e55f	Rule to match on PumaBot samples	2025-06-04
domain	multi-user.target	—	2025-06-04
domain	pumatronix.com	—	2025-06-04
email	tgould@cadosecurity.com	—	2025-06-04
hostname	dasfsdfsdfsdfasfgbczxxc.lusyn.xyz	—	2025-06-04
hostname	db.17kp.xyz	—	2025-06-04
hostname	dow.17kp.xyz	—	2025-06-04
hostname	input.17kp.xyz	—	2025-06-04
hostname	ssh.ddos-cc.org	—	2025-06-04

References (1)

↗ https://www.darktrace.com/blog/pumabot-novel-botnet-targeting-iot-surveillance-devices