A newly discovered Linux botnet named SSHStalker is leveraging the legacy IRC protocol for command-and-control operations, massively compromising servers via SSH brute force, exploiting CVEs from 2009–2010, and maintaining persistence through cron jobs running every 60 seconds. Flare researchers observed thousands of scans primarily targeting cloud servers, including Oracle Cloud infrastructure.
SSHStalker does not attempt to be stealthy or technologically advanced. Instead, it operates on a “scale over stealth” principle. Rather than using modern C2 frameworks, it relies on classic IRC mechanics with multi-server and multi-channel redundancy.
Initial access is gained through automated SSH scanning and brute forcing. The campaign uses a Go binary disguised as the popular network discovery tool nmap. Once a host is compromised, it begins scanning for additional SSH targets, enabling worm-like propagation.
After infection, the malware downloads GCC and compiles payloads directly on the victim host, improving portability and evasion. It then deploys C-based IRC bots with hard-coded C2 servers and channels.
Archives named GS and bootbou are fetched next, orchestrating execution sequencing and bot management. Persistence is achieved via cron jobs running every 60 seconds. These tasks check whether the main bot process is active and relaunch it if terminated. The botnet also includes exploits for 16 Linux kernel CVEs from the 2009–2010 era, used to escalate privileges after the initial SSH compromise.
Regarding monetization, researchers identified:
AWS key harvesting
Website scanning
Integration of PhoenixMiner
Built-in DDoS capabilities (not yet actively observed)
Currently, bots primarily connect to the C2 and remain idle, suggesting testing or access hoarding.
The IRC protocol, created in 1988, peaked in popularity during the 1990s as a text-based communication system. Despite its age, it remains simple, inexpensive, and resilient. These qualities make it attractive for botnet operators prioritizing scale and durability over sophisticated evasion.
Researchers noted similarities between SSHStalker and the Outlaw/Maxlas botnet ecosystem, along with Romanian indicators, though attribution remains unconfirmed.
SSHStalker demonstrates how legacy technologies can resurface in modern cyber threats. Its focus on mass exploitation, simplicity, and low operational cost makes it effective against poorly secured Linux servers. Effective mitigation requires disabling SSH password authentication, removing compilers from production environments, enforcing egress filtering, and monitoring cron jobs and IRC-style outbound connections.
