A recently observed Linux botnet, dubbed ‘SSHStalker,’ is leveraging the decades-old Internet Relay Chat (IRC) protocol to manage its command-and-control (C&C) operations, according to researchers at threat intelligence firm Flare.
First introduced in 1988, IRC peaked in popularity during the 1990s as a primary platform for real-time text communication. SSHStalker is relying on classic IRC mechanics (multiple C-based bots and redundant servers and channels) rather than modern C2 frameworks.
Flare researchers describe the botnet as a “scale-first operation that favors reliability over stealth.” Instead of sophisticated evasion techniques, SSHStalker uses noisy SSH scanning, one-minute cron jobs for persistence, and a collection of 15-year-old vulnerabilities.
“The toolset blends stealth helpers with legacy-era Linux exploitation: Alongside log cleaners (utmp/wtmp/lastlog tampering) and rootkit-class artifacts, the actor keeps a large back-catalog of Linux 2.6.x-era exploits (2009–2010 CVEs). These are low value against modern stacks, but remain effective against “forgotten” infrastructure and long-tail legacy environments,” the company noted.
The botnet gains initial access through automated SSH scanning and brute-force attacks, deploying a Go-based binary disguised as the popular network scanning tool nmap. Once a system is compromised, it is used to scan for additional SSH targets in a worm-like propagation. Flare uncovered logs from nearly 7,000 bot scans conducted in January, many targeting Oracle Cloud infrastructure.
SSHStalker downloads the GCC compiler onto victim machines to build payloads locally. Initial payloads consist of C-based IRC bots configured with hard-coded C2 servers and channels. Additional components, delivered in archives labeled “GS” and “bootbou,” manage orchestration and execution.
To maintain persistence, the malware installs cron jobs that execute every 60 seconds and are acting as watchdogs, relaunching the primary bot process if it is terminated.
The botnet also incorporates exploits for more than a dozen Linux kernel vulnerabilities dating back to 2009–2010, enabling privilege escalation after gaining access through compromised credentials. Researchers observed capabilities for AWS credential harvesting, website scanning, cryptomining, including deployment of the PhoenixMiner Ethereum miner, and distributed denial-of-service (DDoS) attacks. However, no active DDoS campaigns have been observed, and many bots appear to remain idle after connecting to their C&C servers.
Flare has not attributed SSHStalker to a specific threat actor but noted similarities with the Outlaw/Maxlas botnet ecosystem and indicators linked to Romania.