Ethical Hacking News
A newly discovered Linux botnet dubbed SSHStalker is using classic IRC protocol for its command-and-control operations, showcasing an unorthodox approach to malware tactics.
Researchers at Flare identified a new Linux botnet dubbed SSHStalker that relies on classic Internet Relay Chat (IRC) protocol for command-and-control operations. The IRC protocol, despite being old, is still used due to its simplicity, interoperability, and low bandwidth requirements. SSHStalker employs a multi-server/channel redundancy approach, prioritizing resilience and scalability over stealth and technical novelty. The malware achieves initial access through automated SSH scanning and brute forcing, utilizing a Go binary that masquerades as nmap. SSHStalker downloads the GCC tool for compiling payloads on the victim device, enhancing portability and evasion. The malware implements persistence via cron jobs and exploits 16 CVEs targeting Linux kernel versions from the 2009-2010 era. SSHStalker performs AWS key harvesting, website scanning, cryptomining, and DDoS capabilities, but these have not been observed in action yet.
In a significant development that highlights the evolving nature of cyber threats, researchers at threat intelligence company Flare have identified a new Linux botnet dubbed SSHStalker. The most intriguing aspect of this malware is its reliance on classic Internet Relay Chat (IRC) protocol for command-and-control (C2) operations.
The IRC protocol, invented in 1988 and popularized during the 1990s, was initially designed as a text-based instant messaging solution for group and private communication. Despite its age, the protocol still holds significance today due to its simplicity, interoperability, low bandwidth requirements, and lack of graphical user interface (GUI) dependency.
The SSHStalker botnet exhibits several characteristics that set it apart from modern C2 frameworks. Notably, it employs a multi-server/channel redundancy approach, prioritizing resilience and scalability over stealth and technical novelty. This approach involves the use of multiple C-based bots and redundant servers to ensure the botnet's continued operation even in the event of server or bot failures.
Researchers at Flare discovered that SSHStalker achieves initial access through automated SSH scanning and brute forcing, utilizing a Go binary that masquerades as the popular open-source network discovery utility nmap. Once a host is compromised, it is used to scan for additional SSH targets, mimicking a worm-like propagation mechanism within the botnet.
Upon infection, SSHStalker downloads the GCC tool for compiling payloads on the victim device, enhancing portability and evasion. The malware then initiates a series of C-based IRC bots that hard-code C2 servers and channels, enrolling new victims in the botnet's IRC infrastructure. Further payloads are fetched from archives named GS and bootbou, which contain bot variants for orchestration and execution sequencing.
The malware implements persistence via cron jobs that run every 60 seconds, invoking a watchdog-style update mechanism to ensure the main bot process continues to run even if terminated. Additionally, SSHStalker includes exploits for 16 CVEs targeting Linux kernel versions from the 2009-2010 era, used to escalate privileges after initial brute-force access.
The researchers found that SSHStalker performs AWS key harvesting and website scanning, as well as incorporating cryptomining kits such as PhoenixMiner. While it also possesses DDoS capabilities, these have not been observed in action yet, with the bots currently entering an idle state upon connection to the C2 server.
Flare has noted similarities between SSHStalker and the Outlaw/Maxlas botnet ecosystem, as well as Romanian indicators. However, no specific attribution of SSHStalker to a particular threat group has been made. As such, mitigation recommendations include disabling SSH password authentication, removing compilers from production images, enforcing egress filtering, and restricting execution from ' /dev/shm.'
This discovery underscores the evolving nature of cyber threats and highlights the need for constant vigilance among organizations and individuals alike. The use of outdated protocols and techniques by malware like SSHStalker serves as a reminder that even seemingly simple tools can be repurposed for malicious purposes.
In an effort to stay ahead of such threats, it is essential to maintain up-to-date security measures and monitor systems regularly for any signs of unusual activity. Moreover, awareness of emerging trends in cyber threats can aid in the development of effective countermeasures against malware like SSHStalker.
As our understanding of the threat landscape continues to evolve, so too must our approach to mitigating these risks. By staying informed about emerging threats and adapting our defenses accordingly, we may better safeguard against the ever-present specter of cyber attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Linux-Botnet-SSHStalker-Uses-Old-School-IRC-for-Command-and-Control-Operations-ehn.shtml
https://www.bleepingcomputer.com/news/security/new-linux-botnet-sshstalker-uses-old-school-irc-for-c2-comms/
https://flare.io/learn/resources/blog/old-school-irc-new-victims-inside-the-newly-discovered-sshstalker-linux-botnet
https://www.secureblink.com/cyber-security-news/ssh-stalker-proves-hackers-don-t-need-new-tricks-to-own-linux-servers
Published: Tue Feb 10 20:14:21 2026 by llama3.2 3B Q4_K_M
