A newly identified Linux botnet, dubbed SSHStalker, has surfaced, reviving outdated Internet Relay Chat (IRC) command and control methods while leveraging automated SSH compromise pipelines to enlist Linux hosts at a significant scale. This campaign, first observed in early 2026, aggressively targets systems by exploiting weak or reused passwords, effectively turning compromised servers into launching platforms for further network scanning and malware deployment.
Researchers from Flare analyzed samples, observed traffic flows, and investigated the infrastructure associated with SSHStalker, determining that this particular cluster of malicious activity was previously undocumented in public reporting. The operation appears to prioritize rapid expansion and cost-effectiveness over stealth. Its methodology involves stitching together various components to ensure uptime and broad applicability across different Linux environments. A notable characteristic is “dormant persistence,” where compromised systems remain connected to control channels even when operator activity is minimal.
SSHStalker Botnet Uses Automated SSH Compromise Pipeline
SSHStalker’s attack flow outlines a build-and-run pipeline. Initial intrusions involve attackers dropping a Golang binary, disguised as “nmap,” which actually scans for open port 22, the standard SSH port. Once access is gained through weak credentials, the malware proceeds to download and compile necessary tools, including GCC, and unpack archived payloads such as GS and bootbou.tgz. These components are used to deploy the core IRC bots and various helper utilities.
Staging data collected by researchers indicated nearly 7,000 new SSH scan results from January 2026. Many of these compromised IP addresses were located within large cloud hosting ranges, suggesting a broad sweep for vulnerable Linux servers. The campaign also deploys log cleaners designed to erase traces of activity from shell history and system logs like utmp and wtmp. Additionally, the kit includes older Linux 2.6.x exploits that could still be effective against unpatched or forgotten systems.
Persistence That Snaps Back
The persistence mechanisms employed by SSHStalker are described as blunt but effective. The botnet records its working directory and establishes a cron job that executes every minute. This job acts as an update watchdog; if the main bot process is terminated, the script detects the absence of the process and restarts it, often restoring control within approximately 60 seconds. This rapid recovery presents a challenge for incident responders, who must ensure the complete removal of all botnet components to prevent re-infection before their investigation is concluded.
Indicators of Compromise (IoCs) suggest that practical remediation involves removing the one-minute cron entry, deleting the entire botnet kit directory (frequently located in /dev/shm), and identifying any services or init scripts added by the “distro” helper tool. To prevent future unauthorized access, it is recommended to disable SSH password authentication, enforce key-based authentication, implement rate limiting for brute-force attempts, and restrict SSH access to trusted network segments.
On individual hosts, security teams should monitor for unexpected GCC or make commands originating from user directories, /tmp, or /dev/shm. Alerts should also be generated for new binaries that execute minutes after compilation. At the network perimeter, observation of IRC client registrations and channel joins can serve as an alert. Furthermore, egress filtering can prevent compromised servers from establishing long-lived outbound TCP sessions to unknown IRC infrastructure, thereby disrupting the botnet’s command and control capabilities.
The continued reliance on legacy IRC protocols, combined with sophisticated automation for SSH compromise, highlights the adaptive nature of established botnet operators. Further monitoring by security researchers will likely focus on the evolution of SSHStalker’s tooling and its potential to scale its operations onto other operating systems or leverage new exploitation vectors.