A previously undocumented Linux botnet operation called SSHStalker was discovered targeting nearly 7,000 systems in attacks that blend 2009-era Internet Relay Chat (IRC) with modern mass-compromise automation.In a Feb. 9 blog post, Flare’s research team said the targets were geographically dispersed across the United States, Europe, and Asia-Pacific, adding that their scan results were heavily dominated by leading cloud providers, including Oracle Cloud infrastructure.What made this case interesting was that the researchers were genuinely surprised at how the narrative shifted.At first they thought SSHStalker was targeting Linux systems while executing fileless malware, rootkits, log cleaners, and various kernel exploits. But as the research continued, the team found a stitched-together botnet kit that mixed old-school IRC control, compiling binaries on hosts, mass SSH compromise, and cron-based persistence on Linux systems. “SSHStalker is a sharp reminder that old does not mean ineffective,” said Jason Soroko, senior fellow at Sectigo. “The campaign leans on IRC command-and-control, noisy cron-based persistence, and a pile of long-known Linux kernel exploits because a small but meaningful slice of internet-facing Linux systems still runs legacy software, weak SSH configurations, or both. That’s enough to net thousands of systems in an opportunistic sweep, even when the tooling looks like 2009.”
Related reading:
Soroko added while the entire industry remains focused on AI, plenty of attackers are cashing in with bargain-basement tradecraft that slips through because fundamentals are uneven. Soroko said it’s not that AI made us all blind: it’s that we stopped doing basic hygiene at internet scale.“Teams should inventory internet-exposed Linux, retire or isolate legacy kernels, harden SSH, and alert on the very behaviors this botnet cannot hide like per-minute cron execution, watchdog relaunch loops, unexpected IRC traffic, and sudden mining workloads,” said Soroko.Michael Bell, chief executive officer at Suzu Labs, added that SSHStalker isn't sophisticated: it brute-forces SSH, compiles exploit code directly on the host, drops IRC bots, and persists through a cron job that fires every 60 seconds. Bell added that the toolkit includes 16 kernel exploits from 2009 and 2010.“None of that should work against anything maintained in the last decade, but 7,000 compromised systems say otherwise,” said Bell. “The systems getting hit are the ones nobody owns: Abandoned cloud instances. Legacy servers on end-of-life kernels. Infrastructure that exists in the environment, but not in anyone's monitoring. The fact that nobody owns them doesn't mean they aren't connected to the rest of the network.”Bell offered five fixes:
- Disable SSH password auth on anything internet-facing.
- Monitor for compiler execution and new binaries in /tmp or /dev/shm.
- Watch for cron jobs that shouldn't exist.
- Enforce egress filtering so production servers can't reach arbitrary IRC infrastructure.
- Inventory what the organization actually has running and make it visible to the team.
