Declawing PUMAKIT

PUMAKIT is a sophisticated multi-stage Linux malware family that uses a fileless dropper to load memory-resident executables, deploy an LKM rootkit (PUMA) that hooks ~18 syscalls via ftrace, and a userland shared object (Kitsune) to achieve stealth, persistence, and privilege escalation (notably via an rmdir()-based command channel). The report includes code-level analysis, example commands demonstrating hiding and root escalation, IOC listings (SHA256s, domains, IP), and practical detection/mitigation artifacts such as EQL/KQL queries and a YARA rule.