A new Linux botnet, SSHStalker, has infected about 7,000 systems using old 2009-era exploits, IRC bots, and mass-scanning malware. Flare researchers uncovered the operation via SSH honeypots over two months in early 2026, and investigators confirmed it as a previously undocumented threat.
SSHStalker breaks into Linux servers through mass SSH scanning and brute force, then deploys an old-style IRC botnet toolkit mixed with automated scripts, dropping scanners, compiling malware on the victim, and enrolling into IRC channels to scale infections quickly. The persistence mechanism is noisy but effective, using cron jobs to restart the malware within about a minute if disrupted, and the exploit arsenal focuses on old Linux 2.6.x kernel vulnerabilities from 2009–2010.
Investigators found evidence of nearly 7,000 freshly compromised systems in January 2026, mostly cloud servers, with links to Oracle Cloud infrastructure across global regions. While no direct attribution was found, the report notes the operator uses a mid-tier toolkit and that SSHStalker prioritises scale and reliability over stealth, likely for staging or future use, according to Flare.