PUMAKIT is a Linux kernel rootkit. The provided content describes it as a sophisticated loadable-kernel-module (LKM) rootkit that can escalate privileges, hide files and directories, conceal itself from system tools, and evade detection while maintaining communication with command-and-control servers. It is associated with direct syscall table hooking and ftrace hooks, and is also cited alongside newer Linux syscall-hooking tradecraft. The content notes that PUMAKIT uses process or thread masquerading techniques, including naming activity after kernel worker threads such as kworker or kthreadd. Prior iterations are identified as Facefish (February 2021), Kitsune (February 2022), and Megatsune (November 2023). BI.ZONE linked the Kitsune iteration to the Sneaky Wolf / Sneaking Leprechaun threat cluster. PUMAKIT is referenced in reporting on campaigns affecting Russian organizations, but the supplied content does not provide high-confidence details on a specific infection vector or victim sector uniquely attributable to PUMAKIT. No concrete IOCs are provided in the content.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
PUMAKIT, a kernel rootkit to escalate privileges, hide files and directories, and conceal itself from system tools, along with prior iterations known as Facefish (February 2021), Kitsune (February 2022), and Megatsune (November 2023).
4 distinct techniques documented for this family, organized by ATT&CK tactic.
Rootkits are a class of malicious software designed to conceal their presence and maintain persistent access to a system. Kernel-level rootkits leverage LKMs, manipulating kernel behavior to hide processes, files, and network activity, making them difficult to detect.
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Linux rootkit discussed for masquerading and spawning kernel threads to execute userland commands through kthreadd.
Linux kernel rootkit described as combining syscall-table hooking with ftrace-based hooks for layered interception and stealth.
Loadable kernel module (LKM) rootkit with privilege escalation and stealth (hiding files/directories and evading system tools) plus C2 communication.
Kernel-mode rootkit used for privilege escalation and stealth (hiding files/directories and evading system tools); has prior iterations Facefish, Kitsune, and Megatsune.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.