A newly identified botnet, dubbed SSHStalker, is leveraging Internet Relay Chat (IRC) for command and control while automating the compromise of Linux servers through SSH. This botnet, discovered by Flare researchers, penetrates systems by exploiting weak or reused passwords, converting them into platforms for launching further attacks.
How SSHStalker Operates
The SSHStalker botnet was observed in honeypot intrusions during early 2026, where attackers deployed a Golang binary misleadingly named “nmap” to probe for vulnerable port 22 targets. Following this, they downloaded GCC, compiled small C files, and unpacked archives like GS and bootbou.tgz to install IRC bots and auxiliary tools.
Notably, almost 7,000 fresh SSH scan results from January 2026 were referenced in the data staged by attackers, indicating a focus on large cloud hosting IP ranges. Flare researchers classified this operation as a scale-first approach, prioritizing widespread impact over stealth, with components designed for cost-efficiency and repeatability on Linux systems.
Technical Aspects and Persistence
SSHStalker’s attack methodology involves multiple IRC bot variants coded in C and Perl, supported by redundant servers and channels. The botnet also includes log cleaners targeting shell history and system records, and utilizes older Linux exploits to compromise outdated systems.
A notable feature is its persistence mechanism: SSHStalker logs its directory and sets a cron job to check and restart its processes every minute. This resilience means that even if defenders terminate the main process, the botnet can regain control in under a minute, necessitating comprehensive removal of all components to prevent reactivation.
Prevention and Defense Strategies
To combat this threat, security experts recommend disabling SSH password authentication, enforcing key-based access, limiting brute-force attempts, and restricting SSH access to trusted networks. Monitoring for unexpected GCC or make commands and new binaries executing shortly after compilation can also aid in early detection.
Network defenses should focus on identifying IRC client activity, using egress filtering to block long-lived outbound TCP sessions to unknown IRC servers. These steps are crucial for mitigating the risks posed by SSHStalker and similar botnets.
For ongoing updates and insights into cybersecurity threats, follow us on Google News, LinkedIn, and X. Set CSN as a preferred source in Google to stay informed.
