- SSHStalker uses IRC channels and multiple bots to control infected Linux hosts
- Automated SSH brute-forcing rapidly spreads the botnet through cloud server infrastructures
- Compilers are downloaded locally to build payloads for reliable cross-distribution execution
SSHStalker, a recently discovered Linux botnet, is apparently relying on the classic IRC (Internet Relay Chat) protocol to manage its operations.
Created in 1988, IRCwas once the dominant instant messaging system for technical communities due to its simplicity, low bandwidth needs, and cross-platform compatibility.
Unlike modern command-and-control frameworks, SSHStalker uses multiple bots, redundant channels, and servers to maintain control over infected devices while keeping operational costs low.
Botnet structure and command infrastructure
Researchers from security firm Flare documented nearly 7,000 bot scan results in a single month, mainly targeting cloud infrastructure, including Oracle Cloud environments.
Once a host is compromised, it becomes part of the botnet’s propagation mechanism, scanning other servers in a worm-like pattern.
After infection, SSHStalker downloads the GCC compiler to build payloads directly on the compromised system, which ensures its C-based IRC bots can run reliably across different Linux distributions.
These bots contain hard-coded servers and channels that enroll the host into the IRC-controlled botnet.
Additional payloads named GS and bootbou provide orchestration and execution sequencing, effectively creating a scalable network of infected machines under centralized IRC control.
Persistence on each host is maintained through cron jobs set to run every minute, which monitor the main bot process and relaunch it if terminated, creating a constant feedback loop.
The botnet also leverages exploits for 16 old Linux kernel CVEs dating back to 2009 to 2010, using them to escalate privileges once a low-privileged user account is compromised.
Beyond basic control, SSHStalker has built-in monetization mechanisms, as the malware harvests AWS keys, performs website scanning, and includes cryptomining capabilities via PhoenixMiner for Ethereum mining.
Although DDoS capabilities exist, Flare has not observed any attacks, suggesting that the botnet is either in testing or hoarding access.
Defensive strategies against SSHStalker emphasize monitoring compiler installations, unusual cron activity, and IRC-style outbound connections.
Administrators are advised to disable SSH password authentication, remove compilers from production environments, and enforce strict egress filtering.
Maintaining strong antivirus solutions and using good firewall protocols can reduce exposure to this and other legacy-style threats.
Via BleepingComputer
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
