Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

Unmasking the SSHStalker Botnet: A Stealthy Operation Leveraging Legacy Kernel Exploits



The SSHStalker botnet is a sophisticated operation that relies on Internet Relay Chat (IRC) communication protocol for command-and-control purposes. This article delves into the intricacies of the SSHStalker botnet, exploring its operational mechanics, the vulnerabilities it exploits, and the potential implications of this threat. Learn more about this emerging threat and how to protect your organization from similar attacks.

  • The SSHStalker botnet is a sophisticated operation that relies on Internet Relay Chat (IRC) communication protocol for command-and-control (C2) purposes.
  • The threat actor uses an SSH scanner and other scanners to co-opt susceptible systems into a network and enroll them in IRC channels.
  • The Golang scanner scans for port 22 on servers with open SSH, allowing the threat actor to extend its reach in a worm-like fashion.
  • The malware toolkit contains a "keep-alive" component that ensures the main malware process is relaunched within 60 seconds if it's terminated by a security tool.
  • The botnet exploits 16 distinct vulnerabilities impacting the Linux kernel, some going back to 2009.
  • Researchers have uncovered an extensive repository of open-source offensive tooling and previously published malware samples associated with the SSHStalker botnet.
  • The operational fingerprint of the SSHStalker botnet exhibits strong overlaps with that of a hacking group known as Outlaw, suggesting Romanian origin.
  • The use of legacy kernel exploits highlights the need for organizations to prioritize vulnerability management and patching.



    • The cybersecurity landscape is ever-evolving, with new threats emerging on a daily basis. One such threat that has garnered significant attention in recent times is the SSHStalker botnet, a sophisticated operation that relies on Internet Relay Chat (IRC) communication protocol for command-and-control (C2) purposes. This article delves into the intricacies of the SSHStalker botnet, exploring its operational mechanics, the vulnerabilities it exploits, and the potential implications of this threat.

    At its core, the SSHStalker botnet is a complex operation that combines IRC botnet mechanics with an automated mass-compromise operation. The threat actor utilizes an SSH scanner and other readily available scanners to co-opt susceptible systems into a network and enroll them in IRC channels. This approach allows the attacker to maintain persistent access without any follow-on post-exploitation behavior, setting it apart from other campaigns that typically leverage botnets for opportunistic efforts such as distributed denial-of-service (DDoS) attacks, proxyjacking, or cryptocurrency mining.

    One of the key components of the SSHStalker botnet is a Golang scanner that scans for port 22 on servers with open SSH in order to extend its reach in a worm-like fashion. The threat actor also drops several payloads, including variants of an IRC-controlled bot and a Perl file bot that connects to an UnrealIRCd IRC Server, joins a control channel, and waits for commands that allow it to carry out flood-style traffic attacks and commandeer the bots.

    Furthermore, the malware toolkit contains a "keep-alive" component that ensures the main malware process is relaunched within 60 seconds in the event it's terminated by a security tool. This approach allows the attacker to maintain persistent access, even if the initial exploit is detected.

    The SSHStalker botnet exploits a catalog of 16 distinct vulnerabilities impacting the Linux kernel, some going all the way back to 2009. Some of the flaws used in the exploit module are CVE-2009-2692, CVE-2009-2698, CVE-2010-3849, CVE-2010-1173, CVE-2009-2267, CVE-2009-2908, CVE-2009-3547, CVE-2010-2959, and CVE-2010-3437. These vulnerabilities provide a significant attack surface for the threat actor to exploit, particularly in long-tail legacy environments.

    Cybersecurity researchers have uncovered an extensive repository of open-source offensive tooling and previously published malware samples associated with the SSHStalker botnet. This includes rootkits to facilitate stealth and persistence, cryptocurrency miners, a Python script that executes a binary called "website grabber" to steal exposed Amazon Web Services (AWS) secrets from targeted websites, and EnergyMech, an IRC bot that provides C2 and remote command execution capabilities.

    The operational fingerprint of the SSHStalker botnet exhibits strong overlaps with that of a hacking group known as Outlaw (aka Dota). This suggests that the threat actor behind the activity could be of Romanian origin, given the presence of "Romanian-style nicknames, slang patterns, and naming conventions inside IRC channels and configuration wordlists.

    The use of legacy kernel exploits by the SSHStalker botnet highlights the need for organizations to prioritize vulnerability management and patching. The fact that the threat actor is leveraging low-value exploits against modern stacks suggests that they are targeting "forgotten" infrastructure and long-tail legacy environments. This underscores the importance of maintaining robust security controls, including regular updates and patches, to prevent such attacks.

    In conclusion, the SSHStalker botnet represents a significant threat in the cybersecurity landscape. Its operational mechanics, which combine IRC botnet mechanics with an automated mass-compromise operation, make it a formidable opponent for organizations. The fact that the threat actor is leveraging legacy kernel exploits highlights the need for prioritizing vulnerability management and patching. As the threat landscape continues to evolve, it is essential to stay vigilant and maintain robust security controls to prevent such attacks.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/Unmasking-the-SSHStalker-Botnet-A-Stealthy-Operation-Leveraging-Legacy-Kernel-Exploits-ehn.shtml

  • https://thehackernews.com/2026/02/sshstalker-botnet-uses-irc-c2-to.html

  • https://securityaffairs.com/187833/malware/sshstalker-botnet-targets-linux-servers-with-legacy-exploits-and-ssh-scanning.html

  • https://nvd.nist.gov/vuln/detail/CVE-2009-2692

  • https://www.cvedetails.com/cve/CVE-2009-2692/

  • https://nvd.nist.gov/vuln/detail/CVE-2009-2698

  • https://www.cvedetails.com/cve/CVE-2009-2698/

  • https://nvd.nist.gov/vuln/detail/CVE-2010-3849

  • https://www.cvedetails.com/cve/CVE-2010-3849/

  • https://nvd.nist.gov/vuln/detail/CVE-2010-1173

  • https://www.cvedetails.com/cve/CVE-2010-1173/

  • https://nvd.nist.gov/vuln/detail/CVE-2009-2267

  • https://www.cvedetails.com/cve/CVE-2009-2267/

  • https://nvd.nist.gov/vuln/detail/CVE-2009-2908

  • https://www.cvedetails.com/cve/CVE-2009-2908/

  • https://nvd.nist.gov/vuln/detail/CVE-2009-3547

  • https://www.cvedetails.com/cve/CVE-2009-3547/

  • https://nvd.nist.gov/vuln/detail/CVE-2010-2959

  • https://www.cvedetails.com/cve/CVE-2010-2959/

  • https://nvd.nist.gov/vuln/detail/CVE-2010-3437

  • https://www.cvedetails.com/cve/CVE-2010-3437/

  • https://securelist.com/outlaw-botnet/116444/

  • https://thehackernews.com/2025/04/outlaw-group-uses-ssh-brute-force-to.html


    • Published: Wed Feb 11 06:08:38 2026 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us