The cyber‑security community has identified a new Linux botnet, SSHStalker, that resurrects the 1988‑era Internet Relay Chat (IRC) protocol to command compromised servers. By exploiting weak SSH passwords and a cache of legacy kernel vulnerabilities, the botnet spreads rapidly through cloud infrastructure, harvesting cloud credentials and running Ethereum‑miner software for profit.
Researchers at Flare observed the malware’s first‑stage scanner probing port 22 on public IP ranges, then brute‑forcing SSH logins with common credentials. Once inside, the attackers drop a Move‑language binary disguised as the open‑source network scanner nmap, which establishes an IRC connection to hard‑coded servers and channels. From there, the infected host becomes a node in a distributed network of bots that can receive commands, download additional payloads and report back status.
Command‑and‑control via IRC
Unlike modern botnets that rely on HTTP or DNS tunneling, SSHStalker uses multiple IRC channels for redundancy and low‑cost communication. The choice of IRC—known for its minimal bandwidth footprint and cross‑platform support—allows the botnet to stay under the radar while maintaining persistent control over thousands of machines.
The botnet’s IRC clients are compiled on‑the‑fly: after infection, SSHStalker pulls the GNU Compiler Collection (GCC) onto the host and builds C‑based bots tailored to the specific Linux distribution. This approach sidesteps the need to ship pre‑compiled binaries for each distro, improving reliability across the heterogeneous cloud environment.
Flare’s monitoring recorded nearly 7,000 distinct bot scans in a single month, with a concentration on Oracle Cloud instances, highlighting the botnet’s focus on commercial cloud providers.
Exploitation of legacy kernel flaws
SSHStalker carries a “back‑catalog” of sixteen CVEs dating from 2009‑2010, targeting Linux 2.6.x kernels that remain in use on neglected or legacy systems. Successful exploitation escalates privileges from the low‑privileged SSH account to root, enabling the botnet to install its components system‑wide and hide its presence.
Persistence is achieved through cron jobs that execute every minute, checking for the bot process and restarting it if terminated. This creates a feedback loop that makes manual removal tricky without thorough system audits.
Monetization mechanisms
Beyond maintaining a foothold, the malware harvests AWS access keys from compromised servers, allowing attackers to spin up additional cloud resources for their own use. It as well runs PhoenixMiner, an Ethereum mining tool, turning the infected host’s CPU and GPU cycles into cryptocurrency revenue.
While the code includes DDoS capabilities, Flare has not observed any large‑scale attacks, suggesting the operators may be stockpiling access for future operations or testing new payloads.
Defensive recommendations
Administrators should disable password‑based SSH authentication in favor of key‑based access, a step that would block the botnet’s initial brute‑force vector. Removing compilers such as GCC from production environments reduces the malware’s ability to build its own payloads on the host.
Monitoring for outbound connections on IRC ports (typically 6667, 6697) and unusual cron activity can provide early warning signs of infection. Regularly patching legacy kernel versions and decommissioning outdated Linux instances further shrink the attack surface.
What’s next for SSHStalker?
Flare plans to continue tracking the botnet’s activity and will publish periodic updates as new indicators of compromise emerge. Organizations are encouraged to share threat intelligence with their security teams and to apply the mitigation steps outlined above to protect cloud workloads.
Readers are invited to share their experiences or questions in the comments and to spread the word so that more operators can safeguard their environments against this revival of an old‑school protocol.
