{"id":212219,"date":"2026-02-11T05:08:00","date_gmt":"2026-02-11T10:08:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/02\/11\/sshstalker-botnet-targets-linux-servers-with-legacy-exploits-and-ssh-scanning\/"},"modified":"2026-02-11T06:00:10","modified_gmt":"2026-02-11T11:00:10","slug":"sshstalker-botnet-targets-linux-servers-with-legacy-exploits-and-ssh-scanning","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/02\/11\/sshstalker-botnet-targets-linux-servers-with-legacy-exploits-and-ssh-scanning\/","title":{"rendered":"SSHStalker botnet targets Linux servers with legacy exploits and SSH scanning"},"content":{"rendered":"<p><a href=\"https:\/\/securityaffairs.com\/187833\/malware\/sshstalker-botnet-targets-linux-servers-with-legacy-exploits-and-ssh-scanning.html\">SSHStalker botnet targets Linux servers with legacy exploits and SSH scanning<\/a><\/p>\n<p><a href=\"https:\/\/securityaffairs.com\/187833\/malware\/sshstalker-botnet-targets-linux-servers-with-legacy-exploits-and-ssh-scanning.html\">https:\/\/securityaffairs.com\/187833\/malware\/sshstalker-botnet-targets-linux-servers-with-legacy-exploits-and-ssh-scanning.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-02-11 05:08:00<\/a><\/p>\n<p>Source Domain: <a href=\"securityaffairs.com\">securityaffairs.com<\/a><\/p>\n<p><h2>SSHStalker botnet targets Linux servers with legacy exploits and SSH scanning<\/h2>\n<\/p>\n<p>\t\t\t\t\t\t\t<span> Pierluigi Paganini<\/span><br \/>\n\t\t\t\t\t\t\t<span><img decoding=\"async\" src=\"https:\/\/securityaffairs.com\/wp-content\/themes\/security_affairs\/images\/clock-icon.svg\" alt=\"\"\/> February 11, 2026<\/span><\/p>\n<p>\t\t\t\t\t\t<img decoding=\"async\" class=\"img-fluid mb-4\" src=\"https:\/\/i0.wp.com\/securityaffairs.com\/wp-content\/uploads\/2026\/02\/image-21.png?fit=1181%2C842&#038;ssl=1\" alt=\"\"\/><\/p>\n<h2 class=\"wp-block-heading\">A new Linux botnet, SSHStalker, has infected about 7,000 systems using old 2009-era exploits, IRC bots, and mass-scanning malware.<\/h2>\n<p>Flare researchers uncovered a previously undocumented Linux botnet dubbed SSHStalker, observed via SSH honeypots over two months. Researchers ran an SSH honeypot with weak credentials starting in early 2026 and spotted a set of intrusions unlike any previously reported activity. After checking threat intel databases, vendor reports, and malware repositories, they confirmed this activity as new and named it SSHStalker. The botnet combines old-school 2009-era IRC botnet tactics with modern automated mass-compromise techniques.<\/p>\n<p>\u201cWe\u2019ve designated this operation \u201cSSHStalker\u201d due to its distinctive behavior: the botnet maintained persistent access without executing any observable impact operations, despite having in its arsenal capabilities to launch DDoS attacks and conduct cryptomining.\u201d reads the <strong>report<\/strong> published by Flare. \u201cThis \u201cdormant persistence\u201d pattern\u2014infecting systems and establishing control without immediate monetization\u2014differentiates it from typical opportunistic botnet operations and suggests either infrastructure staging, testing phases, or strategic access retention for future use.\u201d<\/p>\n<p>SSHStalker relies on IRC as its command-and-control backbone, using multiple C-based bots, Perl scripts, and known malware families like Tsunami and Keiten. Attacks are highly automated, chaining SSH scanners with rapid staging, on-host compilation, and automatic enrollment into IRC channels to scale infections quickly.<\/p>\n<p>The researchers pointed out that the persistence mechanism implemented by the botnet is noisy but effective, using cron jobs that relaunch the malware within about a minute if disrupted. The toolkit mixes log&#8230;<\/p>\n<p><a href=\"https:\/\/securityaffairs.com\/187833\/malware\/sshstalker-botnet-targets-linux-servers-with-legacy-exploits-and-ssh-scanning.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>SSHStalker botnet targets Linux servers with legacy exploits and SSH scanning https:\/\/securityaffairs.com\/187833\/malware\/sshstalker-botnet-targets-linux-servers-with-legacy-exploits-and-ssh-scanning.html Publish Date: 2026-02-11&#8230;<\/p>\n","protected":false},"author":1,"featured_media":212220,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/securityaffairs.com\/wp-content\/uploads\/2026\/02\/image-21.png","fifu_image_alt":"","footnotes":""},"categories":[48],"tags":[71,32],"class_list":["post-212219","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","tag-linux","tag-malware"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/212219"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=212219"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/212219\/revisions"}],"predecessor-version":[{"id":212221,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/212219\/revisions\/212221"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/212220"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=212219"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=212219"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=212219"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}