Key Findings

• A new Linux botnet called SSHStalker has been discovered, leveraging IRC for command-and-control (C2) purposes

• The botnet combines old-school 2009-era Linux kernel exploits with automated mass-compromise techniques to infect around 7,000 systems, primarily cloud servers

• Unlike typical botnets focused on DDoS attacks or cryptocurrency mining, SSHStalker maintains persistent access without immediate follow-on activities, suggesting potential infrastructure staging or strategic access retention

• The threat actor behind SSHStalker has a well-organized toolkit that includes SSH scanners, IRC bots, persistence scripts, rootkits, and a large catalog of privilege-escalation exploits targeting legacy Linux 2.6.x kernels

Background

Cybersecurity researchers have uncovered details of a previously undocumented Linux botnet operation called SSHStalker, which relies on the Internet Relay Chat (IRC) communication protocol for command-and-control (C2) purposes. The botnet combines automated mass-compromise techniques with a repertoire of outdated Linux kernel exploits to expand its reach and maintain persistent access on infected systems.

IRC-based C2 and Automated Compromise

• SSHStalker utilizes a Golang-based scanner to discover and compromise Linux servers with open SSH ports, using a combination of brute-force attacks and legacy kernel exploits

• The malware toolkit includes various payloads, such as IRC-controlled bots and Perl scripts that connect to an UnrealIRCd server, join a control channel, and await commands for launching DDoS attacks or other malicious activities

• The attacks also involve the execution of C program files to clean SSH connection logs and erase traces of malicious activity, reducing forensic visibility

Exploit Catalog and Persistence Mechanisms

• SSHStalker's exploit module targets a catalog of 16 distinct vulnerabilities impacting the Linux kernel, dating back to 2009-2010, including CVE-2009-2692, CVE-2009-2698, CVE-2010-3849, and others

• The malware employs a "keep-alive" component that ensures the main process is relaunched within 60 seconds if terminated by a security tool, ensuring persistent access

Staging Infrastructure and Overlaps with Known Actors

• Analysis of the staging infrastructure associated with the SSHStalker threat actor has revealed an extensive repository of open-source offensive tooling and previously published malware samples, including rootkits, cryptocurrency miners, and an IRC bot called EnergyMech

• The operational fingerprint of SSHStalker exhibits strong overlaps with the activities of a hacking group known as Outlaw (aka Dota), suggesting a possible connection or derivative operation

Sources

• https://thehackernews.com/2026/02/sshstalker-botnet-uses-irc-c2-to.html

• https://securityaffairs.com/187833/malware/sshstalker-botnet-targets-linux-servers-with-legacy-exploits-and-ssh-scanning.html