You are currently viewing 7,000 Servers and Counting: The Rise of the SSHStalker Linux Botnet

7,000 Servers and Counting: The Rise of the SSHStalker Linux Botnet

  • Post author:
  • Reading time:5 mins read

Cybercriminal groups and opportunistic botnet operators continue to shift toward scale-first, persistence-driven operations that rely heavily on misconfigurations, weak authentication, and long-tail vulnerabilities rather than sophisticated zero-days. Recent analyses by Flare and other cybersecurity researchers reveal how a new botnet—SSHStalker—is rapidly expanding across the global Linux landscape through automated SSH scanning, brute-force attacks, and exploitation of outdated kernel vulnerabilities.

While not linked to any nation-state operator, SSHStalker demonstrates a high-volume, infrastructural strategy similar to historical botnets, where resilience and scale are valued over stealth or novelty. The botnet’s operators maintain persistent access to thousands of exposed systems using IRC-based command-and-control, cron-based watchdog persistence, and a curated arsenal of 2009–2010 Linux kernel exploits.

Background on SSHStalker Operations

SSHStalker was first identified by Flare after researchers observed distinctive SSH intrusion patterns in honeypot environments in early 2026. Over two months, analysts confirmed the activity represented a new Linux botnet built from a stitched-together toolkit blending:

  • Classic IRC botnet mechanics
  • Automated SSH mass-compromise pipelines
  • On-host compilation for cross-environment portability
  • Rootkit-like artifacts and log tampering

Unlike stealth-focused APT campaigns, SSHStalker is surprisingly noisy—using per-minute cron jobs and worm-like scanning—yet it remains highly effective because it targets legacy Linux systems, misconfigured servers, and cloud-hosted environments with weak SSH protections.

Campaign Overview

Primary Targets

Evidence from captured bot logs shows SSHStalker focusing its scanning and compromise efforts on:

  • Cloud-hosted Linux systems, especially Oracle Cloud infrastructure
  • Internet-facing servers running legacy Linux kernels (2.6.x)
  • Systems with password-based SSH authentication

Scale of Compromise

Flare’s staging server investigation and scan data indicate:

  • Around 7,000 compromised or scanned hosts as of January 2026
  • Infections are distributed across the U.S., Europe, and the Asia-Pacific
  • The majority of victims are running outdated or abandoned server images

Key Characteristics

  • Automated SSH brute forcing using a Go-based scanner disguising itself as nmap
  • Worm-like propagation by converting infected hosts into new scanners
  • IRC-based C2 with multi-channel redundancy
  • On-host compilation using downloaded GCC for cross-architecture payload deployment
  • Use of around 16 legacy Linux kernel exploits for privilege escalation

Vulnerability Details

16 Linux kernel vulnerabilities (2009–2010), including the following:

VulnerabilityAffected VendorAffected Devices / ProductsCVSS Score
CVE-2009-2692Linux Kernel (Upstream)Linux 2.6.x kernel-based systems7.8(High)
CVE-2009-2698Linux Kernel (Upstream)Linux 2.6.x distributions widely deployed on legacy servers7.8(High)
CVE-2009-2908Linux Kernel (Upstream)Older Linux kernel environments targeted by the botnet4.9(Medium)
CVE-2009-3547Linux Kernel (Upstream)Legacy 2.6.x servers and embedded systems7.0(High)
CVE-2010-1173Linux Kernel (Upstream)Linux servers running outdated 2010-era kernel builds7.1(High)
CVE-2010-2959Linux Kernel (Upstream)Long-tail Linux deployments still operating on 2.6.x kernels7.2(High)
CVE-2010-3437Linux Kernel (Upstream)Legacy servers and appliances running older Linux kernels6.6(Medium)
CVE-2010-3849Linux Kernel (Upstream)Linux kernel before 2.6.36.24.7(Medium)
CVE-2009-2267VMwareVMware Workstation 6.9(Medium)

These vulnerabilities remain exploitable in long-tail legacy environments, such as outdated VPS images, old industrial systems, and abandoned appliances.

Tactics and Techniques

TA0001 – Initial Access

  • Automated SSH scanning
  • Password-based SSH brute forcing
  • Exploitation of outdated Linux kernels

TA0003 – Persistence

  • Cron-job watchdog that relaunches the bot every 60 seconds
  • On-host GCC-based payload rebuilding

TA0005 – Defense Evasion

  • Log tampering (utmp/wtmp/lastlog manipulation)
  • Rootkit-like helper components

TA0011 – Command and Control

  • IRC-based C2 communication
  • Hard-coded IRC servers and channels
  • Multi-server/channel redundancy

TA0002 – Execution

  • On-host compilation of C-based bots
  • Automatic deployment of multiple IRC bot variants

Indicators of Compromise (IOCs)

SSHStalker indicators documented in research include:

  • IRC C2 infrastructure on public IRC networks
  • Hard-coded IRC channels used by C-based and Perl bots
  • Observed scanning behavior from infected hosts targeting port 22

Infection Method

1) Initial Access

SSHStalker scans the internet for exposed SSH services and weak credentials using a Golang SSH scanner masquerading as nmap.
Compromised hosts immediately begin scanning others, forming a worm-like propagation pattern.

2) Exploitation

After initial low-privileged access, the botnet triggers legacy Linux kernel exploits to escalate privileges on unpatched hosts.

3) Payload Delivery

Instead of dropping precompiled payloads, SSHStalker:

  • Downloads GCC
  • Compiles C-based IRC bots and supporting modules directly on the host
    This improves portability and evasion.

4) Execution & Persistence

Persistence relies on a noisy but effective cron job that relaunches the malware every 60 seconds and acts as a watchdog process.
Log cleaners ensure forensic artifacts are minimized.

5) Command-and-Control (C2)

IRC bot variants connect to:

  • Hard-coded IRC servers
  • Multiple redundant channels
    Some channels are hosted on public IRC networks, complicating detection.

Impact

  • Silent, Large-Scale Access: Despite its loud infection behavior, SSHStalker often enters an idle state post-infection, suggesting future operational staging.
  • Legacy Infrastructure Risk: Thousands of compromised hosts run outdated kernels deemed “forgotten infrastructure,” making them prime targets for long-term hijacking.
  • Potential for Monetization & Disruption: The toolkit includes: Cryptomining components (e.g., PhoenixMiner) and DDoS capabilities

Visual Flow

Initial Access (SSH scanning / brute forcing) -> Privilege Escalation (legacy kernel CVEs) -> On-Host Compilation (GCC) -> IRC Bot Deployment (C + Perl variants) -> Cron-Based Persistence (60s watchdog) -> C2 Enrollment (public IRC networks) ->Idle or Optional Actions (credential harvesting, miners, DDoS)

Mitigation Steps

1. Eliminate Password-Based SSH: Enforce key-based authentication or MFA; apply rate limiting; isolate SSH behind VPN or allowlists.

2. Remove Compilers from Production Systems: Block GCC installation; monitor for compiler execution on servers.

3. Monitor for IRC Traffic: Alert on outbound IRC-style traffic or connections to unfamiliar IRC servers.

4. Patch or Retire Legacy Linux Kernels: SSHStalker’s exploit set heavily targets Linux 2.6.x environments—these should be decommissioned or isolated.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.