BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

New SSHStalker Linux Botnet Uses Old Exploits

SSHStalker botnet uses IRC, targets old Linux, stays persistent without activity, linked to Outlaw group.

  • A new botnet, SSHStalker, uses legacy IRC protocol for command-and-control and targets old Linux systems.
  • The operation is distinct for maintaining persistent access without immediate post-exploitation activity like crypto mining.
  • The threat toolset includes log cleaners, rootkits, and exploits for 16 vulnerabilities, some dating to 2009.
  • Researchers suspect a possible Romanian origin and connection to the known hacking group Outlaw (aka Dota).

Cybersecurity researchers from Flare have exposed a novel botnet operation, dubbed SSHStalker, which leverages the archaic Internet Relay Chat (IRC) protocol for command-and-control. This campaign uniquely scans for and compromises Linux systems with open SSH ports, then enlists them into IRC channels. However, unlike typical botnets that launch cryptocurrency mining or DDoS attacks, SSHStalker remains dormant post-infiltration.

- Advertisement -

Consequently, this persistent, low-profile access suggests the compromised infrastructure is being reserved for future strategic use. The malware employs a Golang scanner to propagate and deploys payloads, including an IRC bot, to await commands. Flare’s analysis reveals its toolkit blends stealth with legacy-era Linux exploitation, using a catalog of 16 distinct vulnerabilities impacting older kernels.

Furthermore, the attackers execute specialized programs to clean SSH connection logs from system files like utmp, wtmp, and lastlog, severely hampering forensic visibility. A “keep-alive” component ensures the malware process automatically restarts if terminated. The staging infrastructure also housed a repository of open-source tooling, including rootkits, crypto miners, and a script to steal exposed AWS secrets.

Researchers noted “Romanian-style nicknames, slang patterns, and naming conventions” within the operation’s IRC channels. Its operational fingerprint shows strong overlaps with the known hacking group Outlaw. Flare concluded the actor demonstrates “strong operational discipline in mass compromise workflows, infrastructure recycling, and long-tail persistence.”

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

- Advertisement -

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

China, India groups target Pakistani police in cyber espionage

Suspected China- and India-aligned threat actors targeted Pakistani law enforcement in a sustained cyber...

AMD Stock Dips 10% Amid AI Volatility Ahead of Q3 Earnings

AMD stock fell nearly 10% from $580 on June 30 to roughly $516 by...

Bitcoin Creator Back Warns BIP-110 Data Limit Could Split Network

Adam Back said Bitcoin has "robustly rejected" BIP-110, arguing the proposal conflicts with the...

Analyst Says Bitcoin Bear Market Nearing End as Momentum Slows

Bitcoin may be entering the latter stages of the bear market as downside momentum...

IMF: Dollar stablecoins may amplify currency runs in fixed-rate economies

An IMF working paper by economist Brandon Joel Tan models how dollar stablecoins improve...

Must Read

A Beginner’s Guide To Cryptocurrency Mining

Cryptocurrency is considered one of the most popular forms of financial assets today. Many of these digital assets operate within blockchain technology which works...
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading