Zmiy and Puma Malware: Security Update
Zmiy, a noted threat actor often described by security researchers as one of the most active, began using a new malware named Puma in campaigns against Russia. The Puma toolkit lets attackers take control of compromised machines, spy on them, and destroy them if necessary. Its complex masking and stealth features make Puma hard to detect and attribute. Analysts say these traits are meant to secure persistence while evading routine defenses.
Puma’s stealth objective is to prevent the operator from regaining command of affected systems. Through layered infection chains, the malware hides its presence, making detection difficult for standard security tools to reveal the intrusion.
Investigators began the formal inquiry after spotting suspicious requests to external servers originating from the victim network. Those servers were connected to Puma’s control infrastructure and linked to Zmiy. Security teams emphasize that this external communication is a clear indicator of a Puma-led operation.
During the network examination, researchers identified at least ten Puma variants along with samples tied to other threat groups, including Gsoke and the Bulldog Backdoor Group. The combined payloads provided full control over the victim’s infrastructure to the attackers. Analysts describe this as a coordinated toolkit designed for broad access and flexible execution.
Initial telemetry suggested the attackers had been present in the target environment for more than a year, maintaining persistence while operating under the Zmiy umbrella. The extended presence complicates cleanup and increases the likelihood of continued espionage and disruption. Analysts warn that long-term access creates a difficult containment scenario.
Beyond loading additional malicious modules, Puma demonstrates an invisible capability to load code into the attacked systems, enabling a wide range of damage by Zmiy. This modular approach allows the threat to adapt to different victim environments and evolve over time. Analysts highlight persistence and modular design as core features of Puma.
Security researchers recognized Zmiy’s activity at the start of the previous year. By 2024, a notable share of investigated events were linked to this group. The operation profile centers on undermining cyber and national infrastructure, and it regularly updates its methods and tools to outpace defenders. Analysts describe Zmiy as a serious threat to companies in Russia.
Earlier this year, authorities in Russia alerted the public about the hacking of Keenetic Wi-Fi routers, illustrating the real-world reach of these campaigns and the risk to home and small business networks.
Across 2024 and into 2025, Puma and Zmiy are evolving, with new variants and tactics, elevating the risk to both national and private networks.