A newly discovered Linux botnet named SSHStalker is actively compromising internet-facing servers by combining outdated attack techniques with large-scale automation. Security researchers say the campaign has already compromised nearly 7,000 Linux systems, most of them hosted on public cloud infrastructure.
Researchers at Flare uncovered the botnet during a multi-month investigation using SSH honeypots. Instead of relying on modern command-and-control frameworks, SSHStalker uses Internet Relay Chat (IRC)—a protocol created in 1988—to manage infected systems.
IRC Command-and-Control Focuses on Scale, Not Stealth
SSHStalker relies on classic IRC mechanics such as hard-coded servers, multiple control channels, and redundant bot variants. The operators favor reliability and low operational cost rather than stealth or advanced evasion.
According to Flare, the botnet uses noisy SSH scanning, aggressive brute-force attacks, and simple cron-based persistence. Once attackers gain access, the malware installs build tools directly on the victim system and compiles payloads locally, allowing it to run across different Linux environments.
Fake “nmap” Binary Spreads the Infection
The attack begins with an automated SSH scanner written in Go that masquerades as the popular nmap network utility. After compromising a host, SSHStalker uses the infected system to scan for more vulnerable SSH targets, enabling worm-like lateral spread.
Researchers identified scan results from January 2026 alone that listed nearly 7,000 targets, with a heavy concentration in cloud environments, particularly Oracle Cloud infrastructure.
Cron-Based Persistence Restarts the Bot Every 60 Seconds
After infection, SSHStalker deploys multiple C-based IRC bots and supporting scripts packaged inside compressed archives. The malware installs cron jobs that run every 60 seconds, acting as watchdogs that automatically relaunch the bot if defenders terminate it.
This persistence model makes partial cleanup ineffective. If administrators remove only one component, the malware restores itself within a minute.
Exploitation of Linux Kernel 2.6.x Persists in Long-Tail System
The botnet includes exploits for 16 Linux kernel vulnerabilities dating back to 2009–2010, targeting kernel version 2.6.x. While modern systems remain unaffected, attackers successfully exploit abandoned servers, outdated VPS images, and legacy infrastructure that still runs end-of-life kernels.
Researchers say this explains how such unsophisticated exploits still achieve large-scale compromise in 2026.
Monetization Capabilities Exist but Remain Dormant
SSHStalker’s toolkit includes cryptocurrency miners, AWS credential harvesting tools, and website scanners designed to extract exposed secrets. The malware also contains DDoS attack modules, though researchers have not observed active attacks so far.
Most infected bots currently connect to IRC servers and remain idle, suggesting the operators are stockpiling access or testing infrastructure before launching monetized campaigns.
Security Teams Should Watch for These Red Flags
Security teams should prioritize basic Linux hardening and visibility rather than focusing only on advanced threat detection. The SSHStalker campaign shows that attackers still succeed by abusing overlooked fundamentals.
Key indicators of compromise include unexpected compiler installations, outbound IRC-style connections, cron jobs executing every minute, and binaries running from memory-backed paths such as /dev/shm. These behaviors rarely appear on properly managed production systems and should trigger immediate investigation.
Effective mitigation starts with disabling SSH password authentication, enforcing key-based access only, and removing compilers from production images. Teams should also apply strict egress filtering so servers cannot initiate arbitrary outbound connections, and regularly audit cron jobs and execution paths for unauthorized persistence mechanisms.
