Cybersecurity researchers have uncovered SSHStalker, a unique botnet that utilizes the Internet Relay Chat protocol for command and control while focusing on long-term persistent access. Unlike traditional botnets used for immediate profit, this operation targets legacy Linux environments and remains dormant to maintain a strategic foothold for future use.

Researchers have identified a new botnet operation known as SSHStalker that leverages the classic Internet Relay Chat protocol to manage its command and control infrastructure. This campaign distinguishes itself by combining automated mass-compromise techniques with a specialized toolset designed to infiltrate and persist within vulnerable systems. By using an SSH scanner to identify open ports, the botnet spreads in a worm-like fashion, enrolling compromised servers into IRC channels where they await further instructions.

The malware toolkit associated with SSHStalker is a blend of modern programming and legacy exploitation. It features a Golang-based scanner alongside a library of exploits dating back to 2009 and 2010, targeting Linux 2.6.x kernels. While these old vulnerabilities are ineffective against modern security stacks, they remain highly successful against "forgotten" infrastructure and legacy environments that have not been patched in over a decade. This allows the threat actors to find a home in unmaintained corners of the internet.

Once a system is compromised, the botnet deploys several payloads, including IRC-controlled bots and Perl-based files that connect to an UnrealIRCd server. These components are capable of launching flood-style traffic attacks, but researchers have noted a peculiar lack of immediate malicious activity. Instead of pivoting to common botnet goals like cryptocurrency mining or distributed denial-of-service attacks, SSHStalker typically remains quiet, maintaining a persistent presence without any obvious post-exploitation behavior.

Evasion is a high priority for the operators of SSHStalker, as evidenced by the inclusion of C program files specifically designed to clean SSH connection logs. These tools tamper with system files like utmp and wtmp to erase traces of the intrusion and reduce the visibility of the malware to forensic investigators. Additionally, the toolkit includes a keep-alive mechanism that monitors the main malware process and ensures it is relaunched within 60 seconds if it is ever terminated by security software or a system administrator.

The dormant nature of this botnet suggests that the actors may be playing a long game, using the compromised infrastructure for staging, testing, or simply retaining strategic access for future campaigns. By flying under the radar and avoiding the noisy traffic associated with traditional botnet monetization, SSHStalker builds a reliable and stealthy network of infected hosts. This approach highlights a shift in threat actor tactics toward stability and long-term retention over immediate, short-lived gains.

Source: SSHStalker Botnet Controls Linux Systems Using IRC C2 and Kernel Exploits