A new Linux botnet campaign dubbed SSHStalker has emerged on the threat landscape, combining legacy techniques with modern automation to target SSH-accessible systems at scale. Although the underlying mechanics are rooted in decade-old botnet infrastructure, the operation has proven effective enough to compromise thousands of hosts worldwide.

Retro Command and Control with IRC

Unlike most modern botnets that favor HTTP, HTTPS, or custom encrypted command-and-control (C2) channels, IRC (Internet Relay Chat) serves as SSHStalker’s core C2 mechanism. The botnet uses multiple variants of classic IRC-based bots written in C, alongside a Perl IRC bot and other older malware components such as Tsunami and Keiten. These artifacts connect to predefined IRC servers and join specific channels to receive instructions from the operator.

This IRC-centric design might seem antiquated, but it offers advantages: redundancy across multiple servers and channels improves reliability, and the approach reduces operational costs compared with more sophisticated modern C2 frameworks.

Automated Mass-Compromise Pipeline

SSHStalker’s infection process starts with a custom Golang binary disguised as nmap. However, this tool is a specialized SSH scanner, not the legitimate network mapper, designed to discover SSH services (port 22) and identify weak or exposed credentials.

Once a potential target is identified, the bot:

• Deploys GCC, the GNU Compiler Collection.
• Drops multiple C source files and compiles them locally.
• Executes these newly compiled IRC bot binaries directly on the host.

This self-compile and run workflow enables SSHStalker to adapt its payload to different environments and architectures (e.g., x86, ARM, MIPS).

Persistence and Resilience

After initial access, SSHStalker takes steps to maintain persistence and re-establish its presence if disrupted. The compromised host is configured with a cron job that runs every minute. This cron configuration invokes a watchdog script that checks whether the bot process is running; if it isn’t, the script relaunches it automatically.

This cron-based mechanism is “noisy” but effective: defenders might remove the bot process manually, but without removing the cron entry or associated files, the bot will reappear within about 60 seconds.

Legacy Exploit Arsenal

Instead of relying on cutting-edge vulnerabilities, SSHStalker ships with a large repository of old Linux kernel exploits – most of them dating from 2009–2010 and targeting Linux 2.6.x kernels. These include public, open-source exploit modules for issues such as null pointer dereferences and privilege escalation flaws.

While these exploits have little relevance against up-to-date systems, they still succeed against long-forgotten or neglected infrastructure, such as outdated cloud instances, abandoned virtual private servers (VPS), embedded devices, and industrial appliances.

Post-Compromise Tools and Capabilities

Beyond IRC control and exploitation, the SSHStalker kit includes a variety of auxiliary tools:

• Log cleaners that tamper with login histories and system logs to hide traces of intrusion.
• Privilege escalation helpers and backdoor utilities.
• Multi-architecture IRC bots capable of joining different IRC networks and channels.

Interestingly, the botnet does not appear to launch overt malicious actions like DDoS or cryptomining immediately upon infection. Instead, it establishes persistent access quietly – leading researchers to speculate that the compromised hosts may be staged for future operations.

Scale and Distribution

Data harvested from honeypots and scans indicate that nearly 7,000 systems have been identified as recently infected by SSHStalker. Many of these are cloud-hosted servers distributed across major cloud platforms and geographic regions, reflecting the opportunistic and automated nature of the campaign.

However, because the botnet targets legacy systems, only a small percentage of the overall internet-accessible Linux footprint is at risk. Estimates suggest roughly 1–3% of active Linux servers remain vulnerable, with that figure rising to 5–10% in less maintained or niche environments.

Why This Matters

SSHStalker underscores an important reality in cybersecurity: old tools and techniques are still effective when they find the right prey. Many organizations and operators neglect systems that should be updated or decommissioned, inadvertently providing fertile ground for opportunistic actors.

Defenders should monitor outbound IRC traffic, especially on traditional IRC ports (TCP 6667 and 6697), harden SSH access with strong authentication, and ensure legacy workloads are patched, upgraded, or safely retired.