New threat research described two distinct botnet operations expanding through mass compromise. Flare reported a previously undocumented Linux botnet it dubbed SSHStalker, observed via an SSH honeypot and characterized by IRC-based command-and-control with multiple bot variants (including legacy families such as Tsunami and Keiten), automated scanning and staging (including a Golang scanner masquerading as nmap behavior and a compile-and-run workflow), and noisy but effective persistence via cron jobs that can re-establish the bot within roughly a minute if not fully removed. The tooling also included log-tampering artifacts (e.g., utmp/wtmp/lastlog manipulation) and a “back-catalog” of older Linux 2.6-era exploits, suggesting the operator is targeting long-tail, poorly maintained infrastructure; Flare noted playbook similarities to Outlaw/Maxlas-style operations but did not claim definitive attribution.
Separately, reporting on a Silent Push analysis described a large SystemBC (aka Coroxy/DroxiDat) botnet comprising 10,000+ infected IPs globally, with notable concentrations in the US and additional presence across Europe and Asia. SystemBC is described as SOCKS5 proxy malware commonly used by threat actors to mask downstream activity and historically associated with enabling ransomware deployment; the report highlighted infections linked to government-related domains based on passive DNS observations, indicating potential exposure of sensitive environments even when immediate follow-on payloads were not directly observed. A third article provided general technical background on how internet-wide scanners (e.g., Shodan/Censys-style platforms) perform active service identification and banner grabbing; it is contextual but does not report on either botnet operation specifically.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
7 events from the most recent confirmed update back to the earliest known activity.
Flare noted Romanian-language and nickname signals and operational overlaps with the Outlaw/Maxlas ecosystem, but said there were no definitive identifiers tying SSHStalker to Outlaw or Dota. The researchers assessed it could be a derivative or copycat operation rather than a confirmed attribution.
The SSHStalker toolkit was found to include older Linux 2.6.x kernel exploits from 2009 to 2010, rootkit-class artifacts, cryptomining components, and a separate web-scanning kit for harvesting exposed AWS credentials from websites. The findings showed the botnet was built from multiple components aimed at scale, resilience, and long-tail legacy targets.
Researchers detailed SSHStalker's mass-compromise workflow, including a Golang SSH scanner disguised as "nmap," on-host installation of GCC, compilation of C payloads, and deployment of IRC bots. They also found persistence via a cron watchdog that relaunched the malware within about 60 seconds if terminated.
Flare's research team observed a previously undocumented Linux botnet they named SSHStalker through an SSH honeypot over roughly two months in early 2026. The operation used automated SSH compromise to enroll Linux systems into an IRC-based command-and-control network.
In the same SystemBC investigation, researchers identified a previously undocumented Perl-based variant of the malware. The new variant suggested the botnet operators were continuing to evolve the malware for resilience and evasion.
Silent Push said indicators tied some SystemBC infections to government-related infrastructure, including a Vietnamese provincial government site and domains associated with the Government of Burkina Faso. The finding raised concerns that government networks may have been compromised or used as hop points.
Silent Push reported discovering a globally distributed botnet of devices infected with SystemBC proxy malware, identifying more than 10,000 unique infected IP addresses. The infections were concentrated in countries including the United States, Germany, France, Singapore, and India.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
cybersecuritynews.com
Open sourcethehackernews.com
Open sourceflare.io
Open sourcesecurityonline.info
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.