SSHStalker botnet preys on legacy Linux & cloud hosts

Flare researchers have identified a previously undocumented Linux botnet, dubbed SSHStalker, that uses Internet Relay Chat (IRC) for command-and-control and targets older Linux systems still deployed in corporate and cloud environments.

The group behind SSHStalker combines legacy botnet mechanics with automated scanning and deployment workflows. It relies on long-established techniques such as SSH brute-forcing, compiling malware directly on compromised hosts, and basic persistence via cron jobs that run every minute.

Flare's SSH honeypot recorded multiple intrusions over two months, and the activity did not match previously reported campaigns or known indicators of compromise. The researchers cross-referenced samples and infrastructure against threat intelligence databases, vendor publications, and open-source malware collections.

Old IRC control

IRC sits at the centre of the botnet's control plane. The toolset includes multiple C-based bot variants, Perl-based IRC components, and references to known Linux malware families such as Tsunami and Keiten. The recovered artefacts also suggest redundancy across multiple servers and channels.

Some components use hard-coded IRC details. Flare listed gsm.ftp.sh and plm.ftp.sh as command-and-control endpoints embedded in source files dropped during the initial stages of infection. It also identified irc.undernet.org and several hard-coded IP addresses used as IRC infrastructure.

At one stage, the attackers drop a binary named nmap that is not the legitimate network scanner. Flare described it as a Golang-based scanner that probes port 22 on other systems, indicating a worm-like approach to finding new targets from already compromised hosts.

After gaining access, the deployment chain downloads build tools, including GCC, then compiles and runs multiple C files. The workflow bundles payloads into compressed archives and executes orchestration scripts that sequence the components.

Fast persistence

SSHStalker uses frequent cron execution as a watchdog mechanism. A scheduled task runs every minute and invokes an update script in the malware directory, redirecting output from the terminal.

The update script checks for a PID file and relaunches the main process if it has stopped. As a result, defenders who kill the running process may see it return quickly unless they also remove the persistence mechanism and related artefacts.

The toolchain also includes log-cleaning utilities. Flare described compiled programs that tamper with utmp, wtmp, and lastlog-style records. The recovered files also suggest the use of memory-backed locations, such as /dev/shm, to reduce on-disk footprint.

Legacy kernels

A distinguishing feature of SSHStalker is its inventory of older Linux kernel exploits. Flare identified exploit-related artefacts for 16 CVEs targeting Linux kernel 2.6.x-era vulnerabilities, along with helper scripts for compiling and launching these modules at scale.

The dataset includes CVE-2009-2692, CVE-2009-2698, and CVE-2010-3849. Several exploit files reference kernel versions including 2.6.18, 2.6.31, and 2.6.37. Flare assessed these exploits as low value against fully maintained systems, but still relevant for long-tail environments such as abandoned server images, outdated appliances, and niche embedded deployments.

The recovered repository also contained components labelled as rootkits and additional tooling that suggested cryptocurrency mining. Flare reported configurations for mining pools and wallet addresses, plus references to PhoenixMiner and a rootkit component it identified as prochider.

Cloud and secrets

Flare recovered a file showing nearly 7,000 fresh results from an SSH scanner, dated January 2026 and close in time to the honeypot intrusions. The scan results were dominated by cloud hosting providers, with strong indicators of Oracle Cloud infrastructure.

Alongside host-compromise activity, Flare also identified a tool designed to detect exposed secrets on websites. It described an obfuscated Python script that generates IP addresses and runs a binary "http grabber" for HTTP and HTTPS scanning. The configuration included more than 33,000 paths and search patterns for AWS keys, including prefixes such as AKIA and ASIA, which are commonly associated with AWS access keys.

Camouflage signals

The files also suggest the use of EnergyMech, an IRC bot framework with a long history on public IRC networks. Flare noted that deployments included "text banks" of chat phrases and nickname dictionaries mapped to EnergyMech commands that can generate channel noise.

While monitoring an IRC server associated with the infrastructure, Flare observed no active tasking or operator chatter. Channel activity appeared limited to users connecting and disconnecting. The server and room structure also appeared to be part of a legitimate public IRC network.

Attribution questions

Flare found overlaps with known Outlaw and Maxlas-style Linux botnet playbooks, citing similarities in file structure, execution chaining, IRC enrolment, and persistence patterns. However, it did not identify direct Outlaw identifiers, such as names, hashes, or canonical artefacts, and therefore did not make a definitive attribution.

The researchers also noted Romanian-language signals in wordlists, nicknames, and channel naming conventions, while observing that artefacts in other languages were traceable to public malware families and repositories.

In mitigation guidance, Flare recommended disabling SSH password authentication, enforcing key-based access, and applying brute-force rate limiting. It also advised monitoring for compilers and build tools on production servers, flagging cron jobs that run every minute, and investigating outbound connections that resemble IRC handshakes.

Flare warned that the botnet is likely to remain effective against older Linux estates and internet-facing systems that have fallen outside normal patching and configuration management processes.