Self-Propagating SSH Worm Building an IRC Botnet via Default Raspberry Pi Credentials
Internet Storm Center (ISC) researchers reported a self-propagating SSH worm observed by a DShield honeypot sensor that can compromise exposed Linux systems in roughly four seconds by using credential stuffing/brute force against weak SSH passwords, with a notable focus on Raspberry Pi devices left on default or common credentials (e.g., user pi with passwords such as raspberry and raspberryraspberry993311). The observed attack chain rapidly authenticates, uploads a compact 4.7 KB bash script (via SCP), executes it, and establishes persistence while removing competing malware, enabling worm-like exponential spread across vulnerable internet-connected hosts.
Technical analysis indicates the activity likely originated from an already-compromised Raspberry Pi in Germany (IP 83.135.10.12, Versatel Deutschland), using an SSH client string consistent with Raspbian (SSH-2.0-OpenSSH_8.4p1 Raspbian-5+b1) and a recorded HASSH fingerprint ae8bd7dd09970555aa4c6ed22adbbf56. Post-compromise, the malware connects to IRC-based command-and-control and includes cryptographically signed command verification; it also automates scanning and lateral movement using tools such as Zmap and sshpass, reinforcing how default/weak SSH authentication on IoT and small-form-factor Linux systems remains a high-impact botnet entry point.
Sources
Related Stories
SSHStalker Linux Botnet Uses SSH Brute Force and Legacy Exploits for Dormant Persistence
Researchers reported a previously undocumented Linux botnet dubbed **SSHStalker** that has compromised roughly **7,000** systems by combining **SSH credential brute-forcing/scanning** with **legacy (circa-2009) exploit chains** and highly automated staging. The activity was observed over multiple weeks via SSH honeypots, with intrusions characterized by rapid deployment, on-host compilation, and automated enrollment into command infrastructure, indicating an operation optimized for mass compromise rather than targeted intrusion. SSHStalker uses **IRC-based command-and-control** and a mixed toolkit that includes C-based bots, Perl scripts, and known botnet malware families such as **Tsunami** and **Keiten**. Reporting highlighted an unusual “**dormant persistence**” pattern: infected hosts are kept under control without immediate visible monetization or impact operations, despite having capabilities associated with **DDoS** and **cryptomining**. Persistence is described as noisy but effective, including **cron-based relaunch** behavior that can restore the malware within about a minute after disruption, suggesting the operator may be staging infrastructure or retaining access for future use.
1 months ago
New Botnet Research Highlights Linux SSH Compromise and SystemBC Proxy Malware at Scale
New threat research described two distinct botnet operations expanding through mass compromise. Flare reported a previously undocumented Linux botnet it dubbed **SSHStalker**, observed via an SSH honeypot and characterized by *IRC-based* command-and-control with multiple bot variants (including legacy families such as **Tsunami** and **Keiten**), automated scanning and staging (including a Golang scanner masquerading as `nmap` behavior and a compile-and-run workflow), and noisy but effective persistence via `cron` jobs that can re-establish the bot within roughly a minute if not fully removed. The tooling also included log-tampering artifacts (e.g., `utmp/wtmp/lastlog` manipulation) and a “back-catalog” of older Linux 2.6-era exploits, suggesting the operator is targeting long-tail, poorly maintained infrastructure; Flare noted playbook similarities to **Outlaw/Maxlas**-style operations but did not claim definitive attribution. Separately, reporting on a Silent Push analysis described a large **SystemBC** (aka **Coroxy/DroxiDat**) botnet comprising **10,000+** infected IPs globally, with notable concentrations in the US and additional presence across Europe and Asia. SystemBC is described as **SOCKS5 proxy malware** commonly used by threat actors to mask downstream activity and historically associated with enabling ransomware deployment; the report highlighted infections linked to **government-related domains** based on passive DNS observations, indicating potential exposure of sensitive environments even when immediate follow-on payloads were not directly observed. A third article provided general technical background on how internet-wide scanners (e.g., Shodan/Censys-style platforms) perform active service identification and banner grabbing; it is contextual but does not report on either botnet operation specifically.
1 months ago
RondoDox Botnet Broadens Exploitation to 174 Vulnerabilities
**RondoDox** has expanded into a large-scale botnet campaign that targets **174 vulnerabilities** across a wide range of internet-exposed devices, with researchers observing up to **15,000 daily exploitation attempts**. Reporting based on **Bitsight** telemetry says the botnet, active since 2025 and built on a **Mirai** code base, is more focused than typical Mirai-derived operations: it is geared toward **denial-of-service activity** and supports **18 architectures**, enabling attacks against routers, DVRs, NVRs, CCTV systems, web servers, and other embedded or Linux-based hardware. Analysts mapped **148 exploits to CVEs**, identified **15 public PoCs without CVEs**, and found **11 exploits with no public PoC**, indicating active exploit collection and rapid weaponization of newly disclosed flaws. The campaign has evolved from earlier exploitation of **TP-Link Archer AX21** flaw `CVE-2023-1389` and later abuse of `CVE-2024-3721`, `CVE-2024-12856`, and the **React2Shell** issue `CVE-2025-55182` affecting **Next.js** servers. Researchers also reported that the operators use **residential IP infrastructure** and traffic patterns that mimic gaming or VPN services to reduce detection, while showing the ability to deploy some exploits within days of disclosure and, in at least one case, exploit `CVE-2025-62593` before its CVE record was formally published. This activity reflects a sustained, strategically managed botnet operation rather than opportunistic scanning, with broad exploit coverage and infrastructure choices designed to improve reach and resilience.
Today