Compilers are downloaded locally to build payloads for reliable cross-distribution execution
SSHStalker, a recently discovered Linux botnet, is apparently relying on the classic IRC (Internet Relay Chat) protocol to manage its operations.
Created in 1988, IRCwas once the dominant instant messaging system for technical communities due to its simplicity, low bandwidth needs, and cross-platform compatibility.
Unlike modern command-and-control frameworks, SSHStalker uses multiple bots, redundant channels, and servers to maintain control over infected devices while keeping operational costs low.
SSHStalker’s malware achieves initial access through automated SSH scanning and brute-force attacks, and then uses a Go-based binary disguised as the open-source network tool nmap to infiltrate servers.
Researchers from security firm Flare documented nearly 7,000 bot scan results in a single month, mainly targeting cloud infrastructure, including Oracle Cloud environments.
Once a host is compromised, it becomes part of the botnet’s propagation mechanism, scanning other servers in a worm-like pattern.
After infection, SSHStalker downloads the GCC compiler to build payloads directly on the compromised system, which ensures its C-based IRC bots can run reliably across different Linux distributions.
These bots contain hard-coded servers and channels that enroll the host into the IRC-controlled botnet.
Additional payloads named GS and bootbou provide orchestration and execution sequencing, effectively creating a scalable network of infected machines under centralized IRC control.
Persistence on each host is maintained through cron jobs set to run every minute, which monitor the main bot process and relaunch it if terminated, creating a constant feedback loop.
The botnet also leverages exploits for 16 old Linux kernel CVEs dating back to 2009 to 2010, using them to escalate privileges once a low-privileged user account is compromised.
Beyond basic control, SSHStalker has built-in monetization mechanisms, as the malware harvests AWS keys, performs website scanning, and includes cryptomining capabilities via PhoenixMiner for Ethereum mining.
Although DDoS capabilities exist, Flare has not observed any attacks, suggesting that the botnet is either in testing or hoarding access.
Defensive strategies against SSHStalker emphasize monitoring compiler installations, unusual cron activity, and IRC-style outbound connections.
Administrators are advised to disable SSH password authentication, remove compilers from production environments, and enforce strict egress filtering.
