CYBERSECURITY researchers have disclosed a new botnet operation named SSHStalker that uses the Internet Relay Chat C2 for command-and-control to manage Linux systems, blending IRC-driven control with a mass-compromise workflow. The toolset includes log cleaners and rootkit-like artefacts, and it relies on a back-catalogue of Linux 2.6.x-era exploits from 2009–2010 CVEs, according to Flare.
SSHStalker operates by scanning for open SSH on port 22 and then enrolling compromised hosts into IRC channels, where an UnrealIRCd server hosts a control channel for issuing commands that can trigger flood-style attacks. Notably, the malware shows dormant, persistent-access behaviour with no evident post-exploitation activity, suggesting staging or long-term access retention for future use.
The operation drops various payloads, including an IRC-controlled bot and a Perl file bot, and uses C, shell, Python, and Perl to orchestrate and sustain the attack chain, with a keep-alive component relaunching the main process within 60 seconds if terminated. Flare also notes potential Romanian origins for the threat actor and overlaps with the group known as Outlaw (aka Dota).