**SSHStalker Botnet Targets Linux Servers with Legacy Exploits and SSH Scanning**

A new Linux botnet, dubbed SSHStalker, has been discovered infecting approximately 7,000 systems using old 2009-era exploits, IRC bots, and mass-scanning malware. Researchers at Flare uncovered the previously undocumented Linux botnet through their SSH honeypots over a two-month period.

The researchers set up an SSH honeypot with weak credentials in early 2026 and spotted a set of intrusions unlike any previously reported activity. After conducting further analysis, including checking threat intel databases, vendor reports, and malware repositories, they confirmed this activity as new and named it SSHStalker.

SSHStalker combines old-school IRC botnet tactics with modern automated mass-compromise techniques. "We've designated this operation 'SSHStalker' due to its distinctive behavior: the botnet maintained persistent access without executing any observable impact operations, despite having in its arsenal capabilities to launch DDoS attacks and conduct cryptomining," reads the report published by Flare.

The report highlights that SSHStalker relies on IRC as its command-and-control backbone, using multiple C-based bots, Perl scripts, and known malware families like Tsunami and Keiten. Attacks are highly automated, chaining SSH scanners with rapid staging, on-host compilation, and automatic enrollment into IRC channels to scale infections quickly.

The persistence mechanism implemented by the botnet is noisy but effective, using cron jobs that relaunch the malware within about a minute if disrupted. The toolkit mixes log cleaners and rootkit-like artifacts with a large collection of outdated Linux 2.6.x kernel exploits, which remain effective against neglected legacy systems.

While its tactics resemble known Outlaw/Maxlas-style Linux botnets, no direct attribution was found, suggesting a derivative or copycat operator. Overall, SSHStalker favors scale and reliability over stealth, and Flare provides guidance to help defenders detect and mitigate the threat.

**How SSHStalker Infects Systems**

SSHStalker breaks into Linux servers via mass SSH scanning and brute force, then deploys an old-style IRC botnet toolkit mixed with automated scripts. It drops scanners, compiles malware directly on the victim, installs multiple IRC bots, cleans logs, and sets up persistence using cron jobs that restart the malware within a minute if removed.

Unlike typical botnets, SSHStalker shows no immediate DDoS or cryptomining activity. It focuses on quiet, long-term access, likely for staging, testing, or future use. Analysis of the staging server revealed deep insight into the SSHStalker operation.

**Technical Analysis**

The actor runs a large, well-organized toolkit that mixes mass SSH compromise with dozens of IRC botnet components, SSH scanners, persistence scripts, rootkits, and Linux privilege‑escalation exploits. Investigators found evidence of nearly 7,000 freshly compromised systems in January 2026, mostly cloud servers, with strong links to Oracle Cloud infrastructure spread across global regions.

The exploit arsenal focuses on old Linux 2.6.x kernels, using many 2009–2010 CVEs. While outdated, these exploits still work against neglected and legacy systems. "These findings indicate a toolkit ecosystem built around 2009-2010 era Linux kernel vulnerabilities, primarily targeting the 2.6.x generation that dominated legacy enterprise servers and embedded appliances," continues the report.

**Indicators of Compromise (IoCs)**

The report includes IoCs for this threat, which can be used by defenders to detect and mitigate the SSHStalker botnet. Researchers at Flare also point out that Romanian-language artifacts, nicknames, and slang inside configs and IRC channels stand out as the strongest indicator of the actor's likely origin.

**Conclusion**

SSHStalker is a mid-tier Linux botnet operator using old but reliable tools: SSH brute force, multi-stage payloads, cron-based persistence, and IRC coordination. While the toolkit resembles Outlaw- or Maxlas-style botnets, no direct links were found. The discovery of SSHStalker highlights the ongoing threat posed by legacy systems and the need for defenders to stay vigilant in detecting and mitigating botnet activity.