SSHStalker: The Resurgence of IRC Botnets Through Automated SSH Exploitation
In early 2026, cybersecurity researchers identified a new Linux-based botnet named SSHStalker, which revives the use of Internet Relay Chat (IRC) for command and control while employing automated techniques to compromise servers via SSH. This botnet primarily targets systems with weak or reused SSH passwords, converting each compromised host into a platform for further scanning and infection.
Infection Mechanism
The attack begins with the deployment of a Golang binary misleadingly named nmap, designed to scan for open SSH ports (port 22) on potential target systems. Upon identifying vulnerable servers, the attackers download and install the GNU Compiler Collection (GCC) to compile small C programs, facilitating the deployment of IRC bots and auxiliary tools. These components are often delivered through layered archives such as GS and bootbou.tgz.
Notably, staging data from the attackers included nearly 7,000 fresh SSH scan results from January 2026, with a significant number of IP addresses belonging to large cloud hosting providers. This indicates a broad and systematic scanning strategy aimed at maximizing the botnet’s reach.
Operational Characteristics
Flare researchers, upon analyzing the SSHStalker campaign, noted its emphasis on scalability and resilience over stealth. The operation utilizes a combination of IRC bot variants written in C and Perl, supported by redundant servers and channels to maintain control over infected hosts. This approach ensures continuous uptime and facilitates rapid expansion across various Linux distributions.
An ASCII art found within the attacker’s files further underscores the campaign’s unique signature and possibly serves as a form of digital branding or identification.
Persistence Mechanisms
SSHStalker employs straightforward yet effective persistence techniques. It records its working directory and adds a cron job set to execute every minute, running an update watchdog script. If the main process is terminated, this script checks a process ID (PID) file and restarts the bot, often regaining control within approximately 60 seconds. This rapid recovery necessitates comprehensive removal of all components to prevent re-infection during incident response efforts.
Indicators of Compromise (IoCs)
To effectively neutralize SSHStalker, the following steps are recommended:
– Remove the one-minute cron entry: This entry is responsible for the bot’s rapid reactivation.
– Delete the full kit directory: Often located in `/dev/shm`, this directory contains the bot’s components.
– Hunt for additional services or init scripts: The distro helper may have added these to ensure persistence.
Preventive Measures
To mitigate the risk of SSHStalker and similar threats, consider implementing the following security practices:
– Disable SSH password authentication: Enforce key-based access to enhance security.
– Rate-limit brute-force attempts: Implement measures to detect and block repeated failed login attempts.
– Restrict SSH exposure: Limit SSH access to trusted networks only.
– Monitor for unexpected GCC or make executions: Be vigilant for compilations occurring in user directories, `/tmp`, or `/dev/shm`.
– Detect new binaries executing shortly after compilation: This can indicate unauthorized software deployment.
– Monitor network activity: Watch for IRC client registrations and channel joins, and implement egress filtering to prevent long-lived outbound TCP sessions to unknown IRC infrastructure.
By adhering to these practices, organizations can significantly reduce the risk of SSHStalker infections and enhance their overall cybersecurity posture.
