{"id":212192,"date":"2026-02-10T18:09:00","date_gmt":"2026-02-10T23:09:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/02\/10\/new-linux-botnet-sshstalker-uses-old-school-irc-for-c2-comms\/"},"modified":"2026-02-11T04:25:15","modified_gmt":"2026-02-11T09:25:15","slug":"new-linux-botnet-sshstalker-uses-old-school-irc-for-c2-comms","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/02\/10\/new-linux-botnet-sshstalker-uses-old-school-irc-for-c2-comms\/","title":{"rendered":"New Linux botnet SSHStalker uses old-school IRC for C2 comms"},"content":{"rendered":"<p><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/new-linux-botnet-sshstalker-uses-old-school-irc-for-c2-comms\/\">New Linux botnet SSHStalker uses old-school IRC for C2 comms<\/a><\/p>\n<p><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/new-linux-botnet-sshstalker-uses-old-school-irc-for-c2-comms\/\">https:\/\/www.bleepingcomputer.com\/news\/security\/new-linux-botnet-sshstalker-uses-old-school-irc-for-c2-comms\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-02-10 18:09:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.bleepingcomputer.com\">www.bleepingcomputer.com<\/a><\/p>\n<p style=\"text-align:center\">\n<p>A newly documented Linux botnet named SSHStalker is using the IRC (Internet Relay Chat) communication protocol for command-and-control (C2) operations.<\/p>\n<p>The protocol was invented in 1988, and its adoption peaked during the 1990s, becoming the main text-based instant messaging solution for group and private communication.<\/p>\n<p>Technical communities still appreciate it for its implementation simplicity, interoperability, low bandwidth requirements, and no need for a GUI.<\/p>\n<p> <img decoding=\"async\" src=\"https:\/\/www.bleepstatic.com\/c\/w\/GitLab-970x250.png\" alt=\"Wiz\" style=\"margin-top: 0px;\"\/><\/p>\n<p>The SSHStalker botnet relies on classic IRC mechanics such as multiple C-based bots and multi-server\/channel redundancy instead of modern C2 frameworks, prioritizing resilience, scale, and low cost over stealth and technical novelty.<\/p>\n<p>According to researchers at threat intelligence company Flare, this approach extends to other characteristics of SSHStalker\u2019s operation, like using noisy SSH scans, one-minute cron jobs, and a large back-catalog of 15-year old CVEs.<\/p>\n<p>\u201cWhat we actually found was a loud, stitched-together botnet kit that mixes old-school IRC control, compiling binaries on hosts, mass SSH compromise, and cron-based persistence. In other words scale-first operation that favors reliability over stealth,\u201d Flare says.<\/p>\n<p><img decoding=\"async\" alt=\"The 'infected machines' IRC channel\" height=\"600\" src=\"https:\/\/www.bleepstatic.com\/images\/news\/u\/1220909\/2026\/February\/infectedmachines.jpg\" width=\"877\"\/><strong>The &#8216;infected machines&#8217; IRC channel<\/strong><br \/>Source: Flare<\/p>\n<p>SSHStalker achieves initial access through automated SSH scanning and brute forcing, using a Go binary that masquerades as the popular open-source network discovery utility nmap.<\/p>\n<p>Compromised hosts are then used to scan for additional SSH targets, which resembles a worm-like propagation mechanism for the botnet.<\/p>\n<p>Flare found\u00a0a file with results from nearly 7,000 bot scans, all from January, and focused mostly on\u00a0cloud hosting providers in Oracle Cloud infrastructure.<\/p>\n<p>Once SSHStalker infects a host, it downloads the GCC tool for compiling payloads on the victim device for better portability and evasion.<\/p>\n<p>The first payloads are C-based IRC bots with hard-coded C2 servers and channels, which enroll&#8230;<\/p>\n<p><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/new-linux-botnet-sshstalker-uses-old-school-irc-for-c2-comms\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>New Linux botnet SSHStalker uses old-school IRC for C2 comms https:\/\/www.bleepingcomputer.com\/news\/security\/new-linux-botnet-sshstalker-uses-old-school-irc-for-c2-comms\/ Publish Date: 2026-02-10 18:09:00&#8230;<\/p>\n","protected":false},"author":1,"featured_media":212193,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.bleepstatic.com\/content\/hl-images\/2024\/05\/14\/Linux-botnet.jpg","fifu_image_alt":"","footnotes":""},"categories":[48],"tags":[71,57],"class_list":["post-212192","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","tag-linux","tag-security"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/212192"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=212192"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/212192\/revisions"}],"predecessor-version":[{"id":212194,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/212192\/revisions\/212194"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/212193"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=212192"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=212192"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=212192"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}