- SHStalker uses IRC channels and multiple bots to control infected Linux hosts
- Automated SSH brute forcing quickly spreads botnet across cloud server infrastructures
- Compilers are downloaded locally to create payloads for reliable multi-distribution execution
SSHStalker, a recently discovered Linux botnet, apparently relies on the classic IRC (Internet Relay Chat) protocol to manage its operations.
Created in 1988, IRC was once the dominant instant messaging system for technical communities due to its simplicity, low bandwidth requirements, and cross-platform compatibility.
Unlike modern command and control frameworks, SSHStalker uses multiple bots, channels, and redundant servers to maintain control over infected devices while maintaining low operational costs.
Botnet structure and command infrastructure
The SSHStalker malware gains initial access through automated SSH scanning and brute force attacks, then uses a Go-based binary disguised as the open source network tool nmap to infiltrate servers.
Researchers at security firm Flare documented nearly 7,000 bot scan results in a single month, primarily targeting cloud infrastructure, including Oracle Cloud environments.
Once a host is compromised, it becomes part of the botnet’s propagation mechanism, scanning other servers in a worm-like pattern.
After infection, SSHStalker downloads the GCC compiler to create payloads directly on the compromised system, which ensures that its C-based IRC bots can run reliably on different Linux distributions.
These bots contain hard-coded servers and channels that enroll the host into the IRC-controlled botnet.
Additional payloads named GS and bootbou provide execution orchestration and sequencing, creating a scalable network of infected machines under centralized IRC control.
Persistence on each host is maintained through cron jobs configured to run every minute, which monitor the main bot process and restart it if completed, creating a constant feedback loop.
The botnet also leverages exploits from 16 old Linux kernel CVEs dating from 2009 to 2010, using them to escalate privileges once a low-privileged user account is compromised.
Beyond basic monitoring, SSHStalker has built-in monetization mechanisms, as the malware scrapes AWS keys, performs website scanning, and includes cryptomining capabilities through PhoenixMiner for Ethereum mining.
Although DDoS capabilities exist, Flare has not observed any attacks, suggesting that the botnet is either testing or hoarding access.
Defensive strategies against SSHStalker focus on monitoring compiler installations, unusual cron activity, and IRC-style outgoing connections.
Administrators are advised to disable SSH password authentication, remove compilers from production environments, and enforce strict output filtering.
Maintaining strong antivirus solutions and using good firewall protocols can reduce exposure to this and other traditional threats.
Via BeepComputer
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.