Cybersecurity researchers have disclosed details of a botnet operation named SSHStalker that leverages Internet Relay Chat for command and control while exploiting legacy Linux kernel vulnerabilities to compromise and maintain access to vulnerable systems.
According to findings shared by cybersecurity company Flare, the toolset behind SSHStalker combines stealth utilities with older Linux exploitation techniques. The operation incorporates log cleaning mechanisms that tamper with utmp, wtmp, and lastlog records, along with artifacts commonly associated with rootkit level persistence. At the same time, the actor maintains a sizable repository of exploits targeting Linux 2.6.x era vulnerabilities dating back to 2009 and 2010. While such exploits offer limited value against modern and fully patched environments, they remain effective against outdated infrastructure and long tail legacy systems that continue to operate without regular security updates. Researchers note that this focus on forgotten or poorly maintained assets enables the threat actor to achieve scale without relying on newly discovered flaws.
SSHStalker merges traditional IRC botnet mechanics with automated mass compromise techniques. A core component is a Golang based scanner that searches for open SSH services on port 22, allowing the malware to propagate in a worm like manner across exposed servers. Infected machines are enrolled into IRC channels hosted on an UnrealIRCd server, where they await instructions from operators. The toolkit deploys multiple payloads, including variants of an IRC controlled bot and a Perl based file bot capable of executing commands and launching flood style traffic attacks. However, researchers observed that unlike many botnets that quickly monetize access through distributed denial of service campaigns, proxy activity, or cryptocurrency mining, SSHStalker frequently maintains persistent access without immediate follow on exploitation. This dormant posture suggests the compromised infrastructure may be used for staging, testing, or retaining strategic access for future operations.
To reduce forensic visibility, the attackers execute C programs designed to erase traces of SSH connections and other indicators from system logs. The malware also includes a keep alive component that automatically relaunches the primary malicious process within 60 seconds if it is terminated by security tools. Flare identified 16 distinct Linux kernel vulnerabilities embedded within the exploit module, including CVE 2009 2692, CVE 2009 2698, CVE 2010 3849, CVE 2010 1173, CVE 2009 2267, CVE 2009 2908, CVE 2009 3547, CVE 2010 2959, and CVE 2010 3437. Analysis of the staging infrastructure uncovered a broader repository of offensive tools and previously published malware, such as rootkits for persistence, cryptocurrency miners, a Python script that deploys a binary referred to as website grabber to extract exposed Amazon Web Services secrets, and EnergyMech, an IRC bot that supports remote command execution. Researchers suspect possible Romanian links based on linguistic patterns observed in IRC channels and configuration files, and noted operational overlaps with a hacking group known as Outlaw, also referred to as Dota. Flare stated that the actor demonstrates disciplined execution and infrastructure reuse rather than novel exploit development, relying primarily on C for core components, shell scripts for orchestration and persistence, and limited Python and Perl for supporting automation within the attack chain.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
