Legacy IRC Botnet Campaign Uses Automated SSH Compromise Pipeline to Enroll Linux Hosts at Scale

SSHStalker is a newly discovered Linux botnet that brings back Internet Relay Chat (IRC) control while using automation to compromise servers over SSH.

It mainly succeeds by guessing weak or reused passwords, then turning each host into a launchpad for more scans and installs.

In honeypot intrusions seen in early 2026, attackers dropped a Golang binary named “nmap” that actually probes port 22 to find new targets.

They then pulled down GCC, compiled small C files, and unpacked layered archives such as GS and bootbou.tgz to deploy IRC bots and helper tools.

Staging data also referenced almost 7,000 fresh SSH scan results from January 2026, including many IPs in large cloud hosting ranges.

Flare researchers identified this cluster as previously undocumented after checking its samples, flow, and infrastructure against public reporting and common malware collections.

They described the operation as scale-first, built from stitched-together components that prioritize uptime and low cost over stealth, and repeatability across Linux builds.

They noted “dormant persistence,” with systems enrolled in control channels even when little operator tasking was visible.

The “SSHStalker’s attack flow” tracks the build-and-run pipeline, including multiple IRC bot variants written in C and Perl and redundant servers and channels.

The same kit also compiles log cleaners that target shell history and utmp/wtmp/lastlog records, and it carries older Linux 2.6.x exploits that can still work on forgotten machines.

Persistence that snaps back

Persistence is blunt but effective: SSHStalker records its working directory and adds a cron job that runs every minute to execute an update watchdog.

If defenders kill the main process, the script checks a PID file and restarts the runner, often restoring control within about 60 seconds.

This fast recovery means responders must remove every part of the kit, or the bot returns before incident work is finished.

While the “Indicators of Compromise” shows the practical fix: remove the one-minute cron entry, delete the full kit directory (often in /dev/shm), and hunt for services or init scripts added by the “distro” helper.

To prevent re-entry, disable SSH password authentication, enforce key-based access, rate-limit brute-force attempts, and restrict SSH exposure to trusted networks.

On hosts, alert on unexpected GCC or make runs from user directories, /tmp, or /dev/shm, and on new binaries that execute minutes after compilation.

At the network edge, watch for IRC client registration and channel joins, and use egress filtering so servers cannot keep long-lived outbound TCP sessions to unknown IRC infrastructure.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.