Skip to main content
Mallory
Back to malware
MalwareUsed by 2 actorsExploits 9 CVEs

SSHStalker

SSHStalker is a newly documented Linux botnet that uses Internet Relay Chat (IRC) for command-and-control and spreads primarily by automated SSH scanning and brute-force attacks against servers with weak or reused credentials. Flare researchers reported observing the operation via SSH honeypots over roughly two months in early 2026 and estimated that it had infected about 7,000 systems, with many compromised hosts appearing to be cloud servers, including strong links to Oracle Cloud infrastructure.

The botnet is characterized as a scale-first operation that prioritizes reliability, uptime, and repeatability over stealth. Its deployment chain includes a Golang SSH scanner masquerading as "nmap," on-host installation of GCC, and compilation of multiple C payloads directly on victim systems. The toolkit includes multiple IRC bot variants written in C and Perl, including references to Tsunami and Keiten, redundant IRC servers and channels for resilience, and persistence mechanisms based on cron jobs that relaunch the malware within about 60 seconds if disrupted. Researchers also reported use of memory-backed paths such as /dev/shm, service/init-script persistence via helper scripts, and log-cleaning components that tamper with shell history and utmp/wtmp/lastlog artifacts.

SSHStalker also carries a large catalog of legacy Linux kernel privilege-escalation exploits, largely targeting Linux 2.6.x-era vulnerabilities from 2009-2010, and Flare identified 81 exploit-related artifacts covering 16 CVEs. Additional capabilities directly mentioned in the reporting include rootkit-class artifacts, DDoS-capable IRC bot functionality, cryptomining tooling and configurations, and a web reconnaissance kit designed to harvest exposed AWS access keys from websites at scale. Flare described the operation as exhibiting "dormant persistence": infected systems were enrolled into IRC control infrastructure even when no active tasking was observed. Although the tradecraft resembles Outlaw/Maxlas-style Linux botnets and Romanian-language artifacts were noted, no direct attribution was confirmed.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

9 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

9 CVES
CVE-2009-2908Linux kernel eCryptfs d_delete NULL pointer dereference

“Flare’s research team has uncovered a previously undocumented Linux botnet operation we’re calling SSHStalker… SSHStalker relies on classic, “old-school” IRC botnet mechanics…”

via flareio blogflare.io
CVE-2009-2692Linux Kernel sock_sendpage NULL Pointer Dereference Privilege Escalation

“Flare’s research team has uncovered a previously undocumented Linux botnet operation we’re calling SSHStalker… SSHStalker relies on classic, “old-school” IRC botnet mechanics…”

via flareio blogflare.io
CVE-2009-2698Local privilege escalation / DoS via NULL pointer dereference in Linux kernel udp_sendmsg (MSG_MORE)

“Flare’s research team has uncovered a previously undocumented Linux botnet operation we’re calling SSHStalker… SSHStalker relies on classic, “old-school” IRC botnet mechanics…”

via flareio blogflare.io
CVE-2009-2267Privilege escalation in VMware products via Virtual-8086 mode #PF exception handling

“Flare’s research team has uncovered a previously undocumented Linux botnet operation we’re calling SSHStalker… SSHStalker relies on classic, “old-school” IRC botnet mechanics…”

via flareio blogflare.io
CVE-2010-3437Linux kernel pktcdvd pkt_find_dev_from_minor signedness error in PKT_CTRL_CMD_STATUS ioctl

“Flare’s research team has uncovered a previously undocumented Linux botnet operation we’re calling SSHStalker… SSHStalker relies on classic, “old-school” IRC botnet mechanics…”

via flareio blogflare.io
CVE-2010-1173DoS in Linux kernel SCTP sctp_process_unk_param via crafted SCTPChunkInit

“Flare’s research team has uncovered a previously undocumented Linux botnet operation we’re calling SSHStalker… SSHStalker relies on classic, “old-school” IRC botnet mechanics…”

via flareio blogflare.io
CVE-2010-3849NULL pointer dereference in Linux kernel econet_sendmsg

“Flare’s research team has uncovered a previously undocumented Linux botnet operation we’re calling SSHStalker… SSHStalker relies on classic, “old-school” IRC botnet mechanics…”

via flareio blogflare.io
CVE-2009-3547Race condition in Linux kernel fs/pipe.c via /proc/*/fd/ anonymous pipe open

“Flare’s research team has uncovered a previously undocumented Linux botnet operation we’re calling SSHStalker… SSHStalker relies on classic, “old-school” IRC botnet mechanics…”

via flareio blogflare.io
CVE-2010-2959Linux kernel CAN BCM integer overflow in net/can/bcm.c

“Flare’s research team has uncovered a previously undocumented Linux botnet operation we’re calling SSHStalker… SSHStalker relies on classic, “old-school” IRC botnet mechanics…”

via flareio blogflare.io
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Outlaw

“Flare’s research team has uncovered a previously undocumented Linux botnet operation we’re calling SSHStalker… SSHStalker relies on classic, “old-school” IRC botnet mechanics…”

via flareio blogflare.io
Maxlas

“Flare’s research team has uncovered a previously undocumented Linux botnet operation we’re calling SSHStalker… SSHStalker relies on classic, “old-school” IRC botnet mechanics…”

via flareio blogflare.io
MITRE ATT&CK

Techniques & procedures

17 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1190Exploit Public-Facing ApplicationEvidence1

“…large collection of outdated Linux 2.6.x kernel exploits… using many 2009–2010 CVEs… still work against neglected and legacy systems.”

Execution

1 technique
T1053.003CronEvidence3

“…persistence mechanism… using cron jobs that relaunch the malware within about a minute if disrupted… sets up persistence using cron jobs…”

Persistence

1 technique
T1053.003CronEvidence3

“…persistence mechanism… using cron jobs that relaunch the malware within about a minute if disrupted… sets up persistence using cron jobs…”

Privilege Escalation

2 techniques
T1053.003CronEvidence3

“…persistence mechanism… using cron jobs that relaunch the malware within about a minute if disrupted… sets up persistence using cron jobs…”

T1068Exploitation for Privilege EscalationEvidence1

“payloads to escalate privileges using a catalog of 15-year-old CVEs”

Stealth

5 techniques
T1014RootkitEvidence1

“The toolkit mixes log cleaners and rootkit-like artifacts…”

T1027.004Compile After DeliveryEvidence1

“…rapid staging, on-host compilation… It… compiles malware directly on the victim…”

T1036MasqueradingEvidence1

“using a Go binary that masquerades as the popular… utility nmap.”

T1070Indicator RemovalEvidence1

“The same kit also compiles log cleaners that target shell history and utmp/wtmp/lastlog records…”

T1070.002Clear Linux or Mac System LogsEvidence1

“The toolkit mixes log cleaners… It… cleans logs…”

Credential Access

2 techniques
T1110Brute ForceEvidence4

“SSHStalker breaks into Linux servers via mass SSH scanning and brute force…”

T1552.001Credentials In FilesEvidence1

“perform AWS key harvesting”

Discovery

1 technique
T1046Network Service DiscoveryEvidence3

"SSHStalker botnet targets Linux servers with legacy exploits and SSH scanning"

Lateral Movement

2 techniques
T1021.004SSHEvidence1

“Compromised hosts are then used to scan for additional SSH targets, allowing it to spread in a worm-like manner.”

T1210Exploitation of Remote ServicesEvidence1

"SSHStalker botnet targets Linux servers with legacy exploits and SSH scanning"

Command and Control

3 techniques
T1071.001Web ProtocolsEvidence4

"...new botnet operation called SSHStalker that relies on the Internet Relay Chat (IRC) communication protocol for command-and-control (C2) purposes."

T1071.004DNSEvidence1

“Old-School IRC, New Victims: Inside the Newly Discovered SSHStalker Linux Botnet”

T1105Ingress Tool TransferEvidence2

"SSHStalker Botnet Uses IRC C2 to Control Linux Systems"

Impact

1 technique
T1496Resource HijackingEvidence1

“cryptocurrency mining”

ACTIVITY FEED

Recent activity

14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

14 SOURCESView more in app
the hacker newsNews
Feb 16, 2026
Weekly Recap: Outlook Add-Ins Hijack, 0-Day Patches, Wormable Botnet & AI Malware

Linux botnet that gains initial access via automated SSH scanning and brute forcing, uses IRC-based C2, spreads in a worm-like manner by scanning from compromised hosts, and drops additional payloads for privilege escalation, AWS key harvesting, and cryptocurrency mining; uses cron-based persistence and masquerades as nmap.

Read more
security affairsNews
Feb 15, 2026
SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 84

Linux botnet described as using IRC-style infrastructure/communications.

Read more
security affairsNews
Feb 15, 2026
Security Affairs newsletter Round 563 by Pierluigi Paganini - INTERNATIONAL EDITION

SSHStalker botnet targets Linux servers with legacy exploits and SSH scanning

Read more
ctoatncsc substackNews
Feb 14, 2026
CTO at NCSC Summary: week ending February 15th

Linux botnet leveraging an automated SSH compromise pipeline (scanner + rapid staging/compile-run), noisy persistence (cron/watchdog), IRC-based C2/enrollment, and a backlog of legacy Linux 2.6-era exploits.

Read more
+10 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities9

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping17

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.