A new Linux botnet, SSHStalker, has infected about 7,000 systems using old 2009-era exploits, IRC bots, and mass-scanning malware.
Flare researchers uncovered a previously undocumented Linux botnet dubbed SSHStalker, observed via SSH honeypots over two months. Researchers ran an SSH honeypot with weak credentials starting in early 2026 and spotted a set of intrusions unlike any previously reported activity. After checking threat intel databases, vendor reports, and malware repositories, they confirmed this activity as new and named it SSHStalker. The botnet combines old-school 2009-era IRC botnet tactics with modern automated mass-compromise techniques.
“We’ve designated this operation “SSHStalker” due to its distinctive behavior: the botnet maintained persistent access without executing any observable impact operations, despite having in its arsenal capabilities to launch DDoS attacks and conduct cryptomining.” reads the report published by Flare. “This “dormant persistence” pattern—infecting systems and establishing control without immediate monetization—differentiates it from typical opportunistic botnet operations and suggests either infrastructure staging, testing phases, or strategic access retention for future use.”
SSHStalker relies on IRC as its command-and-control backbone, using multiple C-based bots, Perl scripts, and known malware families like Tsunami and Keiten. Attacks are highly automated, chaining SSH scanners with rapid staging, on-host compilation, and automatic enrollment into IRC channels to scale infections quickly.
The researchers pointed out that the persistence mechanism implemented by the botnet is noisy but effective, using cron jobs that relaunch the malware within about a minute if disrupted. The toolkit mixes log cleaners and rootkit-like artifacts with a large collection of outdated Linux 2.6.x kernel exploits, which remain effective against neglected legacy systems.
While its tactics resemble known Outlaw/Maxlas-style Linux botnets, no direct attribution was found, suggesting a derivative or copycat operator. Overall, SSHStalker favors scale and reliability over stealth, and Flare provides guidance to help defenders detect and mitigate the threat.
SSHStalker breaks into Linux servers via mass SSH scanning and brute force, then deploys an old-style IRC botnet toolkit mixed with automated scripts. It drops scanners, compiles malware directly on the victim, installs multiple IRC bots, cleans logs, and sets up persistence using cron jobs that restart the malware within a minute if removed.
Unlike typical botnets, SSHStalker shows no immediate DDoS or cryptomining activity. It focuses on quiet, long-term access, likely for staging, testing, or future use.
Analysis of the staging server revealed deep insight into the SSHStalker operation. The actor runs a large, well-organized toolkit that mixes mass SSH compromise with dozens of IRC botnet components, SSH scanners, persistence scripts, rootkits, and Linux privilege‑escalation exploits. Investigators found evidence of nearly 7,000 freshly compromised systems in January 2026, mostly cloud servers, with strong links to Oracle Cloud infrastructure spread across global regions.
The exploit arsenal focuses on old Linux 2.6.x kernels, using many 2009–2010 CVEs. While outdated, these exploits still work against neglected and legacy systems.
“These findings indicate a toolkit ecosystem built around 2009-2010 era Linux kernel vulnerabilities, primarily targeting the 2.6.x generation that dominated legacy enterprise servers and embedded appliances.” continues the report. “In today’s environment (2026), their direct relevance is low for fully maintained infrastructure, but not zero:
- This is rising to 5–10% in long-tail environments (legacy hosting providers, abandoned VPS images, outdated appliances, industrial/OT gear, or niche embedded deployments). “
- A realistic threat-intel estimate would place exposure at roughly 1–3% of internet-facing Linux servers.”
Investigators accessed SSHStalker’s IRC infrastructure, but saw no active commands, only bots connecting and disconnecting on what appeared to be a legitimate public IRC network. This suggests dormant or staging command-and-control designed to blend into normal traffic.
“Notably, the server and room structure were hosted on what appears to be a legitimate, public IRC network, and the environment itself looked authentic and maintained – suggesting either dormant infrastructure, staging infrastructure, or the use of real IRC ecosystems to blend malicious operations into normal platform traffic.” continues the report.
Technical analysis shows a mid-tier Linux botnet operator using old but reliable tools: SSH brute force, multi-stage payloads, cron-based persistence, and IRC coordination. While the toolkit resembles Outlaw- or Maxlas-style botnets, no direct links were found. Romanian-language artifacts, nicknames, and slang inside configs and IRC channels stand out as the strongest indicator of the actor’s likely origin.
The report includes indicators of compromise (IoCs) for this threat.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, SSHStalker)
