SSHStalker Botnet Uses IRC C2 to Control Linux Systems via Legacy Kernel Exploits
Source: The Hacker News
Ravie Lakshmanan
Feb 11 2026 – Linux / Botnet
Cybersecurity researchers have disclosed details of a new botnet operation called SSHStalker that relies on the Internet Relay Chat (IRC) communication protocol for command‑and‑control (C2) purposes.
“The toolset blends stealth helpers with legacy‑era Linux exploitation: Alongside log cleaners (utmp/wtmp/lastlog tampering) and rootkit‑class artifacts, the actor keeps a large back‑catalog of Linux 2.6.x‑era exploits (2009–2010 CVEs). These are low value against modern stacks, but remain effective against ‘forgotten’ infrastructure and long‑tail legacy environments.” – Flare
Overview
- SSHStalker combines classic IRC botnet mechanics with an automated mass‑compromise operation.
- It uses an SSH scanner (written in Go) and other readily available scanners to co‑opt vulnerable systems and enroll them in IRC channels.
- Unlike many botnets that focus on opportunistic activities (DDoS, proxyjacking, crypto‑mining), SSHStalker maintains persistent access without any obvious post‑exploitation behavior.
The dormant behavior suggests the compromised infrastructure may be used for staging, testing, or strategic access retention.
Technical Details
- Scanner – A Golang component that probes port 22 for open SSH services, spreading the botnet in a worm‑like fashion.
- Payloads – Includes:
- Variants of an IRC‑controlled bot.
- A Perl bot that connects to an UnrealIRCd server, joins a control channel, and awaits commands for flood‑style attacks.
- Log‑cleaning – Executes compiled C programs to erase SSH connection logs (utmp, wtmp, lastlog) and reduce forensic visibility.
- Keep‑alive – A watchdog that restarts the main malware process within 60 seconds if it is terminated.
Exploited Vulnerabilities
SSHStalker bundles a catalog of 16 distinct Linux kernel vulnerabilities, many dating back to 2009. Notable CVEs include:
| CVE | Year | Brief Description |
|---|---|---|
| CVE‑2009‑2692 | 2009 | … |
| CVE‑2009‑2698 | 2009 | … |
| CVE‑2010‑3849 | 2010 | … |
| CVE‑2010‑1173 | 2010 | … |
| CVE‑2009‑2267 | 2009 | … |
| CVE‑2009‑2908 | 2009 | … |
| CVE‑2009‑3547 | 2009 | … |
| CVE‑2010‑2959 | 2010 | … |
| CVE‑2010‑3437 | 2010 | … |
(The table can be expanded with the remaining CVEs.)
Associated Tooling
Flare’s investigation of the actor’s staging infrastructure uncovered a large repository of open‑source offensive tools and previously published malware, including:
- Rootkits for stealth and persistence.
- Cryptocurrency miners.
- A Python script that runs a binary called “website grabber” to steal exposed AWS credentials from targeted sites.
- EnergyMech, an IRC bot providing C2 and remote command execution.
Attribution
- Possible origin: Romanian, based on nicknames, slang, and naming conventions observed in IRC channels and configuration wordlists.
- Operational overlap: Similar tactics, techniques, and procedures (TTPs) to the Outlaw group (aka Dota).
“SSHStalker does not appear to focus on novel exploit development but instead demonstrates operational control through mature implementation and orchestration.” – Flare
“by primarily using C for core bot and low‑level components, shell for orchestration and persistence, and limited Python and Perl usage mainly for utility or supporting automation tasks inside the attack chain and running the IRC bot,” Flare said.
“The threat actor is not developing zero‑days or novel rootkits, but demonstrating strong operational discipline in mass‑compromise workflows, infrastructure recycling, and long‑tail persistence across heterogeneous Linux environments.” – Flare
Found this article interesting? Follow us for more exclusive content: