Flare researchers have identified a new Linux botnet called SSHStalker that has compromised around 7,000 systems using outdated exploits and SSH scanning. The botnet employs IRC for command-and-control while maintaining dormant persistence without immediate malicious activities like DDoS or cryptomining. It targets legacy Linux kernels, highlighting risks in neglected infrastructure.
In early 2026, Flare researchers deployed an SSH honeypot with weak credentials and observed unusual intrusions over two months. After reviewing threat intelligence databases, vendor reports, and malware repositories, they confirmed the activity as previously undocumented and named it SSHStalker. The botnet combines 2009-era IRC botnet tactics with automated mass-compromise techniques, infecting systems via SSH brute-force attacks and scanning.
SSHStalker breaks into Linux servers by guessing weak or reused passwords, then deploys a multi-stage payload. Attackers drop a Golang binary disguised as "nmap" to probe port 22 for new targets, download GCC to compile C files on the host, and unpack archives like GS and bootbou.tgz containing IRC bots written in C and Perl, along with known malware families such as Tsunami and Keiten. The toolkit includes log cleaners that target shell history and records like utmp, wtmp, and lastlog, as well as rootkit-like artifacts and exploits for Linux 2.6.x kernels from 2009-2010 CVEs.
Once installed, the botnet establishes persistence through cron jobs that run every minute to restart processes if disrupted, often restoring control within 60 seconds. Analysis of staging servers revealed nearly 7,000 freshly compromised systems in January 2026, primarily cloud servers linked to Oracle Cloud infrastructure across global regions.
"We’ve designated this operation 'SSHStalker' due to its distinctive behavior: the botnet maintained persistent access without executing any observable impact operations," the Flare report states. This "dormant persistence" suggests staging, testing, or retention for future use, with bots connecting to IRC channels on a legitimate public network to blend into normal traffic.
While tactics resemble Outlaw or Maxlas-style botnets, no direct attribution exists, though Romanian-language artifacts in configs and channels indicate a possible origin. The operation prioritizes scale and reliability over stealth, affecting 1-3% of internet-facing Linux servers, particularly in legacy environments like outdated VPS or embedded devices.
Flare provides indicators of compromise and mitigation advice, including removing cron entries, deleting kits from /dev/shm, disabling SSH password authentication, and monitoring for unexpected compilations or IRC connections.
