{"id":186346,"date":"2026-02-11T04:56:00","date_gmt":"2026-02-11T09:56:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/02\/11\/sshstalker-botnet-uses-irc-c2-to-control-linux-systems-via-legacy-kernel-exploits\/"},"modified":"2026-02-11T07:50:10","modified_gmt":"2026-02-11T12:50:10","slug":"sshstalker-botnet-uses-irc-c2-to-control-linux-systems-via-legacy-kernel-exploits","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/02\/11\/sshstalker-botnet-uses-irc-c2-to-control-linux-systems-via-legacy-kernel-exploits\/","title":{"rendered":"SSHStalker Botnet Uses IRC C2 to Control Linux Systems via Legacy Kernel Exploits"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/02\/sshstalker-botnet-uses-irc-c2-to.html\">SSHStalker Botnet Uses IRC C2 to Control Linux Systems via Legacy Kernel Exploits<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/02\/sshstalker-botnet-uses-irc-c2-to.html\">https:\/\/thehackernews.com\/2026\/02\/sshstalker-botnet-uses-irc-c2-to.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-02-11 04:56:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points.<br \/>\n\ue804Ravie Lakshmanan\ue802Feb 11, 2026Linux \/ Botnet<br \/>\nCybersecurity researchers have disclosed details of a new botnet operation called SSHStalker that relies on the Internet Relay Chat (IRC) communication protocol for command-and-control (C2) purposes.<br \/>\n&#8220;The toolset blends stealth helpers with legacy-era Linux exploitation: Alongside log cleaners (utmp\/wtmp\/lastlog tampering) and rootkit-class artifacts, the actor keeps a large back-catalog of Linux 2.6.x-era exploits (2009\u20132010 CVEs),&#8221; cybersecurity company Flare said. &#8220;These are low value against modern stacks, but remain effective against &#8216;forgotten&#8217; infrastructure and long-tail legacy environments.&#8221;<br \/>\nSSHStalker combines IRC botnet mechanics with an automated mass-compromise operation that uses an SSH scanner and other readily available scanners to co-opt susceptible systems into a network and enroll them in IRC channels.<\/p>\n<p>However, unlike other campaigns that typically leverage such botnets for opportunistic efforts like distributed denial-of-service (DDoS) attacks, proxyjacking, or cryptocurrency mining, SSHStalker has been found to maintain persistent access without any follow-on post-exploitation behavior.<\/p>\n<p>This dormant behavior sets it apart, raising the possibility that the compromised infrastructure is being used for staging, testing, or strategic access retention for future use.<br \/>\nA core component of SSHStalker is a Golang scanner that scans for port 22 for servers with open SSH in order to extend its reach in a worm-like fashion. Also dropped are several payloads, including variants of an IRC-controlled bot and a Perl file bot that connects to an UnrealIRCd IRC Server, joins a control channel, and waits for commands that allow it to carry out flood-style traffic attacks and commandeer the bots.<br \/>\nThe attacks are also characterized by the execution of C program files to clean SSH connection logs and erase traces of malicious activity from logs to reduce forensic visibility. Furthermore, the malware toolkit contains a &#8220;keep-alive&#8221; component that ensures the main malware process is relaunched within 60 seconds in the event it&#8217;s terminated by a security tool.<\/p>\n<p>SSHStalker is notable for blending mass compromise automation with a catalog of 16 distinct vulnerabilities impacting the Linux kernel, some going all the way back to 2009. Some of the flaws used in the exploit module are CVE-2009-2692, CVE-2009-2698, CVE-2010-3849, CVE-2010-1173, CVE-2009-2267, CVE-2009-2908, CVE-2009-3547, CVE-2010-2959, and CVE-2010-3437.<br \/>\nFlare&#8217;s investigation of the staging infrastructure associated with the threat actor has uncovered an extensive repository of open-source offensive tooling and previously published malware samples. These include &#8211;\u00a0<\/p>\n<p>Rootkits to facilitate stealth and persistence<br \/>\nCryptocurrency miners\u00a0<br \/>\nA Python script that executes a binary called &#8220;website grabber&#8221; to steal exposed Amazon Web Services (AWS) secrets from targeted websites<br \/>\nEnergyMech, an IRC bot that provides C2 and remote command execution capabilities<\/p>\n<p>It&#8217;s suspected that the threat actor behind the activity could be of Romanian origin, given the presence of &#8220;Romanian-style nicknames, slang patterns, and naming conventions inside IRC channels and configuration wordlists.&#8221; What&#8217;s more, the operational fingerprint exhibits strong overlaps with that of a hacking group known as Outlaw (aka Dota).<br \/>\n&#8220;SSHStalker does not appear to focus on novel exploit development but instead demonstrates operational control through mature implementation and orchestration, by primarily using C for core bot and low-level components, shell for orchestration and persistence, and limited Python and Perl usage mainly for utility or supporting automation tasks inside the attack chain and running the IRCbot,&#8221; Flare said.<br \/>\n&#8220;The threat actor is not developing zero-days or novel rootkits, but demonstrating strong operational discipline in mass compromise workflows, infrastructure recycling, and long-tail persistence across heterogeneous Linux environments.&#8221;<\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>SSHStalker Botnet Uses IRC C2 to Control Linux Systems via Legacy Kernel Exploits https:\/\/thehackernews.com\/2026\/02\/sshstalker-botnet-uses-irc-c2-to.html Publish&#8230;<\/p>\n","protected":false},"author":1,"featured_media":186347,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiIWksXdbZ0O2Uys7zlFHh363x_928N5gROvDQuqYlRb952YgIX5wXoIOhRZy6ZBS0Lswnax_SfsXm77mjIojyvIYLn8PQID-pGysGygXRuDj4MPbLlxHnwjVJ48IeW0Yf4K0Yw8mwxXkmFjYF3JnLoms3GbRYZbjWX28y2FuV2xyLFTaDM1NgQafp_j1uS\/s1600\/linux-botnet.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,31,32,34],"class_list":["post-186346","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-exploit","tag-malware","tag-threat-actor"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/186346"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=186346"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/186346\/revisions"}],"predecessor-version":[{"id":186348,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/186346\/revisions\/186348"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/186347"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=186346"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=186346"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=186346"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}