A security report on SSHStalker, described by Flare researchers, shows a Linux botnet reviving 2009 tactics to hijack servers, combining old-school IRC botnet methods with modern automation. The operation was uncovered after honeypots were hit over a two-month period, and researchers note the campaign blends 2009-era IRC techniques with mass-compromise automation. SSHStalker relies on IRC for its command and control, a stark contrast to the encrypted web panels common in contemporary botnets.
The malware is a patchwork of legacy code, including variants of C-based bots, Perl scripts, and families such as Tsunami and Keiten, indicating a focus on redundancy over stealth. Its infection pipeline chains a Go-based SSH scanner with a rapid staging workflow, so once a weak SSH password is found, it deploys multiple backdoors and maintains long-term access.
Flare suggests the operator behind SSHStalker is likely a mid-tier actor, potentially based in Romania, with claims that they automate mass compromise rather than developing zero-days.