A newly identified Linux botnet called SSHStalker is relying on decade-and-a-half-old exploits and techniques, according to Flare. The security firm notes that SSHStalker uses multiple 2009-era tools and mechanics, including an Internet Relay Chat (IRC) bot and 19 Linux kernel exploits, and that the botnet is quite noisy, running a cron job every minute for persistence and employing a watchdog update-relauch model.
To date, SSHStalker has likely ensnared approximately 7,000 systems, targeting legacy Linux iterations on older machines and representing roughly 1–3% of internet-accessible Linux servers. The infection chain deploys multiple C-based IRC bot variants, a Perl IRC bot, and the Tsunami and Keiten malware, with multi-server and multi-channel redundancy in what appears to be an opportunistic campaign rather than a targeted operation.
Flare’s analysis also reveals signs of an EnergyMech IRC bot providing C&C capabilities via IRC, and indicates the overall operation is in a staging or dormant state, with limited visible coordination at the time of observation. 10 February 2026.