Researchers reported a previously undocumented Linux botnet dubbed SSHStalker that has compromised roughly 7,000 systems by combining SSH credential brute-forcing/scanning with legacy (circa-2009) exploit chains and highly automated staging. The activity was observed over multiple weeks via SSH honeypots, with intrusions characterized by rapid deployment, on-host compilation, and automated enrollment into command infrastructure, indicating an operation optimized for mass compromise rather than targeted intrusion.
SSHStalker uses IRC-based command-and-control and a mixed toolkit that includes C-based bots, Perl scripts, and known botnet malware families such as Tsunami and Keiten. Reporting highlighted an unusual “dormant persistence” pattern: infected hosts are kept under control without immediate visible monetization or impact operations, despite having capabilities associated with DDoS and cryptomining. Persistence is described as noisy but effective, including cron-based relaunch behavior that can restore the malware within about a minute after disruption, suggesting the operator may be staging infrastructure or retaining access for future use.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
Flare reported the previously undocumented SSHStalker botnet, describing its IRC-based components, dormant persistence, use of 2009–2010-era exploits, and possible Romanian-language clues. The researchers also published indicators of compromise and defensive guidance for detection and mitigation.
During the observed campaign, the botnet infected roughly 7,000 Linux machines, with heavy impact on cloud-hosted servers and links to Oracle Cloud infrastructure. The operators used weak SSH credentials and legacy Linux privilege-escalation exploits to expand access.
Flare researchers observed repeated attacks from a previously undocumented Linux botnet in their SSH honeypots over a two-month period in early 2026. The activity showed mass SSH scanning and brute-force attempts against Linux servers.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
securityonline.info
Open sourcesecurityaffairs.com
Open sourcecsoonline.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.