Legacy IRC Botnet Leverages Automated SSH Exploit Pipeline to Mass-Enroll Linux Hosts

Identified through data captured by our SSH honeypots over two months, this campaign represents a sophisticated blend of eras. It merges “old-school” Internet Relay Chat (IRC) botnet tactics from the late 2000s with modern, automated mass-compromise techniques.

While the infrastructure resembles known threats, SSHStalker is a distinct operation focused on resilience and scale rather than stealth.

What makes SSHStalker unique is its “living off the land” approach to deployment. Rather than simply dropping a pre-made virus, the attacker creates an automated pipeline on the victim’s machine:

1. The Entry: The attack begins with a Golang-based binary (disguised as nmap) that scans for servers with open SSH ports (Port 22).
2. The Build: Once access is gained, the malware downloads the GCC compiler. It then drops raw C source code files onto the victim’s server and compiles the malware on the spot.
3. The Connection: The newly compiled bots immediately connect to an IRC server. This allows the attackers to control thousands of infected machines using chat channels a legacy method that remains highly effective for redundancy.

Flare’s research team has uncovered a undocumented Linux botnet operation dubbed SSHStalker.

Persistence: The 60-Second Watchdog

SSHStalker is designed to be incredibly noisy but difficult to remove. The threat actors prioritize keeping the bot alive over staying hidden.

The botnet maintained persistent access without executing any observable impact operations, despite having in its arsenal capabilities to launch DDoS attacks and conduct cryptomining. 

The kit installs a Cron job (a scheduled task) that runs every single minute. This script acts as a “watchdog.”

It checks if the malware process is running; if a defender or antivirus kills the bot, the watchdog script automatically recompiles and relaunches it within 60 seconds.

This aggressive persistence mechanism ensures the botnet remains stable even if individual processes are terminated.

The research revealed a massive library of exploits targeting Linux Kernel versions 2.6.x vulnerabilities dating back to 2009 and 2010.

While these exploits are ineffective against modern, updated Linux servers, they are devastatingly effective against “long-tail” legacy environments.

This includes forgotten cloud instances, old IoT devices, and unmaintained virtual private servers (VPS).

Flare found evidence of nearly 7,000 compromised IPs, heavily concentrated in cloud hosting environments like Oracle Cloud.

The scan results are heavily dominated by cloud hosting providers, with strong indicators of Oracle Cloud infrastructure, which operates large ASN blocks such as AS31898 and related Oracle network ranges. 

The attackers appear to be building a massive network of these legacy systems to mine cryptocurrency (specifically Ethereum Classic) and harvest AWS credentials.

The Romanian Connection

The operational fingerprint of SSHStalker strongly resembles the Outlaw (or Maxlas) botnet group.

The file structures, use of IRC, and specific persistence methods are similar. Furthermore, the kit is full of Romanian-language artifacts, slang, and nicknames.

However, no direct identifiers linking it to Outlaw were found. This suggests SSHStalker is likely a “copycat” or a derivative group operating in the same ecosystem, utilizing similar toolkits to achieve different ends.

The most distinct red flag for this campaign is the activity of compilers on production servers. Defenders should monitor for the execution of gcc, make, or build tools in directories like /tmp or /dev/shm.

Additionally, blocking outbound IRC traffic and monitoring for Cron jobs that execute every minute can help detect an infection before it becomes a persistent foothold.

Indicators of Compromise

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.