- A new botnet, SSHStalker, uses legacy IRC protocol for command-and-control and targets old Linux systems.
- The operation is distinct for maintaining persistent access without immediate post-exploitation activity like crypto mining.
- The threat toolset includes log cleaners, rootkits, and exploits for 16 vulnerabilities, some dating to 2009.
- Researchers suspect a possible Romanian origin and connection to the known hacking group Outlaw (aka Dota).
Cybersecurity researchers from Flare have exposed a novel botnet operation, dubbed SSHStalker, which leverages the archaic Internet Relay Chat (IRC) protocol for command-and-control. This campaign uniquely scans for and compromises Linux systems with open SSH ports, then enlists them into IRC channels. However, unlike typical botnets that launch cryptocurrency mining or DDoS attacks, SSHStalker remains dormant post-infiltration.
Consequently, this persistent, low-profile access suggests the compromised infrastructure is being reserved for future strategic use. The malware employs a Golang scanner to propagate and deploys payloads, including an IRC bot, to await commands. Flare’s analysis reveals its toolkit blends stealth with legacy-era Linux exploitation, using a catalog of 16 distinct vulnerabilities impacting older kernels.
Furthermore, the attackers execute specialized programs to clean SSH connection logs from system files like utmp, wtmp, and lastlog, severely hampering forensic visibility. A “keep-alive” component ensures the malware process automatically restarts if terminated. The staging infrastructure also housed a repository of open-source tooling, including rootkits, crypto miners, and a script to steal exposed AWS secrets.
Researchers noted “Romanian-style nicknames, slang patterns, and naming conventions” within the operation’s IRC channels. Its operational fingerprint shows strong overlaps with the known hacking group Outlaw. Flare concluded the actor demonstrates “strong operational discipline in mass compromise workflows, infrastructure recycling, and long-tail persistence.”
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
