- Pro
- Security
Linux servers targeted by SSHStalker using automated scans, cron jobs, and IRC
When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.
(Image credit: Shutterstock)
- Copy link
- X
- Threads
Sign up for breaking news, reviews, opinion, top tech deals, and more.
Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.You are now subscribed
Your newsletter sign-up was successful
An account already exists for this email address, please log in. Subscribe to our newsletter- SSHStalker uses IRC channels and multiple bots to control infected Linux hosts
- Automated SSH brute-forcing rapidly spreads the botnet through cloud server infrastructures
- Compilers are downloaded locally to build payloads for reliable cross-distribution execution
SSHStalker, a recently discovered Linux botnet, is apparently relying on the classic IRC (Internet Relay Chat) protocol to manage its operations.
Created in 1988, IRCwas once the dominant instant messaging system for technical communities due to its simplicity, low bandwidth needs, and cross-platform compatibility.
Unlike modern command-and-control frameworks, SSHStalker uses multiple bots, redundant channels, and servers to maintain control over infected devices while keeping operational costs low.
You may like-
Ray clusters hijacked and turned into crypto miners by shadowy new botnet
-
A decades-old threat command is making a comeback - so don't let the "finger" of doom affect you
-
This devious botnet tried a trial run during the recent AWS outage - so when will it be back?
Botnet structure and command infrastructure
SSHStalker's malware achieves initial access through automated SSH scanning and brute-force attacks, and then uses a Go-based binary disguised as the open-source network tool nmap to infiltrate servers.
Researchers from security firm Flare documented nearly 7,000 bot scan results in a single month, mainly targeting cloud infrastructure, including Oracle Cloud environments.
Once a host is compromised, it becomes part of the botnet’s propagation mechanism, scanning other servers in a worm-like pattern.
After infection, SSHStalker downloads the GCC compiler to build payloads directly on the compromised system, which ensures its C-based IRC bots can run reliably across different Linux distributions.
Are you a pro? Subscribe to our newsletterContact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.These bots contain hard-coded servers and channels that enroll the host into the IRC-controlled botnet.
Additional payloads named GS and bootbou provide orchestration and execution sequencing, effectively creating a scalable network of infected machines under centralized IRC control.
Persistence on each host is maintained through cron jobs set to run every minute, which monitor the main bot process and relaunch it if terminated, creating a constant feedback loop.
You may like-
Ray clusters hijacked and turned into crypto miners by shadowy new botnet
-
A decades-old threat command is making a comeback - so don't let the "finger" of doom affect you
-
This devious botnet tried a trial run during the recent AWS outage - so when will it be back?
The botnet also leverages exploits for 16 old Linux kernel CVEs dating back to 2009 to 2010, using them to escalate privileges once a low-privileged user account is compromised.
Beyond basic control, SSHStalker has built-in monetization mechanisms, as the malware harvests AWS keys, performs website scanning, and includes cryptomining capabilities via PhoenixMiner for Ethereum mining.
Although DDoS capabilities exist, Flare has not observed any attacks, suggesting that the botnet is either in testing or hoarding access.
Defensive strategies against SSHStalker emphasize monitoring compiler installations, unusual cron activity, and IRC-style outbound connections.
Administrators are advised to disable SSH password authentication, remove compilers from production environments, and enforce strict egress filtering.
Maintaining strong antivirus solutions and using good firewall protocols can reduce exposure to this and other legacy-style threats.
Via BleepingComputer
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
Efosa UdinmwenFreelance JournalistEfosa has been writing about technology for over 7 years, initially driven by curiosity but now fueled by a strong passion for the field. He holds both a Master's and a PhD in sciences, which provided him with a solid foundation in analytical thinking.
View MoreYou must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
Logout Read more
Ray clusters hijacked and turned into crypto miners by shadowy new botnet
A decades-old threat command is making a comeback - so don't let the "finger" of doom affect you
This devious botnet tried a trial run during the recent AWS outage - so when will it be back?
Malware control panels could give experts the tools they need to spy on hackers
Experts warn this new Chinese Linux malware could be preparing something seriously worrying
Malicious LLMs are letting even unskilled hackers to craft dangerous new malware
Latest in Security
Forget zero-days - 'N-days' could be the most worrying security threat facing your systems today, here's why
'If someone can inject instructions or spurious facts into your AI’s memory, they gain persistent influence over your future interactions': Microsoft warns AI recommendations are being "poisoned" to serve up malicious results
Nearly a million WordPress websites could be at risk from this serious plugin security flaw
Fake Chrome AI extensions targeted over 300,000 users to steal emails, personal data and more - here's what we know
Major telco breach sees 6.2 million users have personal info leaked - here's what we know so far
Huge OneFly data breach sees traveler IDs and payment details leaked
Latest in News
OpenAI has switched off ChatGPT-4o, and angry users want it back
Apple is rumored to be working on an iPhone Flip as well as an iPhone Fold
'This is unacceptable' — SAG-AFTRA reacts with outrage to AI-generated Brad Pitt vs. Tom Cruise 'fight' clip
Exclusive: Lego is bringing back the X-1 Ninja Charger for Ninjago’s 15th anniversary — and it hides a motorcycle inside
My favorite League of Legends spin-off since Arcane just got even better
Jon Favreau says The Mandalorian & Grogu had to “up our game” for theaters
LATEST ARTICLES- 1Holographic tape inches closer to mass market ahead of silica, ceramic media - 200TB WORM tech set to debut in 2027 after successful dry run in an LTO tape library
- 2OpenAI has switched off ChatGPT-4o, and angry users want it back
- 3'1 second in tens of billions of years': China's ultra-precise optical lattice clock gets international recognition as it challenges US hegemony on time
- 4My favorite League of Legends spin-off since Arcane just got even better
- 5No Resident Evil Requiem demo? Frustrating, but it’ll be worth the wait