SSHStalker is a previously undocumented Linux botnet operation reported by Flare researchers, observed via SSH honeypots over roughly a two-month period in early 2026. The operation compromises Linux servers at scale via mass SSH scanning and brute-force login attempts, followed by rapid staging that installs GCC and compiles multiple C payloads directly on victim hosts. Command-and-control is IRC-based, using multiple servers/channels for redundancy and attempting to blend into normal traffic by leveraging infrastructure that appeared to be on a legitimate public IRC network; Flare authenticated to an associated IRC server and observed bots connecting/disconnecting but no active tasking at the time. The toolset includes multiple IRC bot variants (C and Perl) and references to known families such as Tsunami and Keiten, plus persistence mechanisms including a cron job scheduled every minute to relaunch components if disrupted (with watchdog logic using PID checks). Additional components include log-cleaning/tampering (e.g., utmp/wtmp/lastlog), rootkit-like artifacts, and operation from memory-backed paths such as /dev/shm. The operator maintains a large exploit arsenal focused on legacy Linux 2.6.x kernel privilege-escalation vulnerabilities (largely 2009–2010 CVEs; examples cited include CVE-2009-2692, CVE-2009-2698, CVE-2010-3849, CVE-2010-1173), assessed as most relevant to long-tail, poorly maintained environments. Flare estimated roughly 7,000 infections (with evidence of nearly 7,000 fresh compromises/scan results in January 2026), with the affected population described as mostly cloud servers and showing strong links to Oracle Cloud infrastructure across global regions. While SSHStalker includes capabilities and tooling associated with DDoS and cryptomining (and cryptomining tooling/configurations were present), Flare did not observe immediate impact operations during the monitoring window and characterized the behavior as “dormant persistence,” consistent with staging/testing or strategic access retention. The tradecraft resembles Outlaw/Maxlas-style Linux botnets, but Flare reported no definitive attribution; Romanian-language artifacts, nicknames, and slang in configurations/IRC-related data were cited as the strongest origin clue.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
21 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A newly identified Linux botnet operation infecting internet-facing Linux servers at scale via mass SSH scanning and brute-force, then deploying an IRC-based bot toolkit with cron-based persistence. Notably appears to prioritize dormant/quiet long-term access (staging/testing/future use) rather than immediate DDoS or cryptomining.
Previously undocumented Linux botnet operation using mass SSH scanning/brute-force for initial access, staging/compiling multiple IRC bot variants on-host, enrolling victims into IRC-based C2 (multi-server/channel redundancy), and maintaining persistence via per-minute cron watchdog. Tooling includes log cleaners (utmp/wtmp/lastlog tampering), rootkit-class artifacts, legacy Linux 2.6.x privilege-escalation exploits (2009–2010 CVEs), and optional monetization via cryptomining; also includes web scanning aimed at harvesting exposed AWS credentials.
Previously undocumented Linux botnet operation observed via SSH honeypot activity; described as blending legacy IRC botnet tactics with modern mass-compromise behavior.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.