A newly identified Linux botnet is relying on decade-and-a-half-old exploits and techniques, cybersecurity company Flare reports.
Dubbed SSHStalker, the botnet uses multiple 2009-era tools and mechanics, including an Internet Relay Chat (IRC) bot and 19 Linux kernel exploits.
According to Flare, the botnet is rather noisy, executing a cron job every minute for persistence and using a watchdog ‘update’ relaunch model, and deploying various scanners and malware on the infected machines.
SSHStalker artifacts resemble known Romanian-linked botnet operations such as Outlaw and Dota, but no direct link to the legacy Linux campaigns was found, suggesting that a derivative operator, a copycat, or an Outlaw-linked threat actor is behind the botnet.
The botnet’s infection chain involves the deployment of multiple C-based IRC bot variants, a Perl IRC bot, the Tsunami and Keiten malware, and multi-server/channel redundancy in what appears to be an opportunistic campaign rather than a targeted operation.
To date, SSHStalker likely ensnared approximately 7,000 systems. Its toolset targets legacy Linux iterations running on older systems, which likely represent roughly 1–3% of the internet-accessible Linux servers.
“This is rising to 5–10% in long-tail environments (legacy hosting providers, abandoned VPS images, outdated appliances, industrial/OT gear, or niche embedded deployments),” Flare notes.
SSHStalker uses open source exploits that are often used by low-to-mid tier threat actors, but the use of curated kernel exploits points to “moderate operational maturity”, the cybersecurity firm says.
Flare’s analysis of the botnet’s attack flow revealed the deployment of nearly two dozen binaries and files.
Following the deployment of an SSH scanner, two nearly identical IRC-controlled bot variants are deployed during the first stage of the infection.
At the second stage, a Perl bot is deployed for command-and-control (C&C) communication, as well as scripts for persistence, privilege escalation, and log cleaning.
Finally, a compressed file is dropped, containing eight files, including the logic for persistence (by creating a cron job to execute an update script every minute). According to Flare, the scripts were designed to run an IRC-botnet builder.
The cybersecurity firm’s investigation into SSHStalker also revealed signs of an EnergyMech IRC bot, which provides full C&C capabilities via IRC, the use of various slang terms to blend with typical IRC traffic, and several cryptomining kits.
Flare also identified the botnet’s IRC server, but did not observe communication associated with its activity, suggesting this is dormant or staging infrastructure.
“The channel behavior appeared limited to users connecting and disconnecting, with no visible operational coordination at the time of observation. Notably, the server and room structure were hosted on what appears to be a legitimate, public IRC network, and the environment itself looked authentic and maintained,” Flare notes.
Related: GoBruteforcer Botnet Targeting Crypto, Blockchain Projects
Related: Kimwolf Android Botnet Grows Through Residential Proxy Networks
Related: RondoDox Botnet Exploiting React2Shell Vulnerability
Related: New ‘Broadside’ Botnet Poses Risk to Shipping Companies
