Massive Botnet Escalates Attacks on Legacy Linux Systems
Cybercriminals are increasingly focusing on large-scale, long-term operations, with a new botnet named SSHStalker rapidly compromising Linux systems through automated SSH scanning and exploitation of outdated vulnerabilities, as reported by Flare.
SSHStalker emerged in early 2026, capitalizing on weak SSH configurations and legacy Linux kernels. Unlike hidden, stealthy attackers, it employs overt methods that prioritize resilience, utilizing classic IRC controls and old Linux kernel exploits. The botnet targets institutions with misconfigured servers and outdated infrastructure, managing thousands of infected hosts via persistent cron jobs and a blended toolkit that includes established IRC mechanics and on-host compilation techniques.
Primarily targeting environments like Oracle Cloud, internet-facing servers with legacy kernels (specifically 2.6.x), and systems employing password-based SSH authentication, SSHStalker has seen around 7,000 compromised hosts across the U.S., Europe, and Asia-Pacific. Its noise-heavy operations make it easily detectable, yet effective due to the nature of its targets, often consisting of abandoned or legacy systems that lack adequate defenses.
Why this matters: The widespread infection of outdated systems poses significant risks as organizations often overlook these vulnerable infrastructures. This botnet not only compromises security but also offers avenues for potential monetization through cryptomining or disruptive attacks.
To mitigate risks, defenders should eliminate password-based SSH access, enforce key-based methods or MFA, restrict compilers on production systems, and monitor for unusual IRC traffic. Regular patching and retirement of legacy systems are also crucial to weakening the attack footprint.
Indicators of Compromise (IOCs):
– Targeted Linux kernel vulnerabilities (CVE-2009-2692, CVE-2009-2698, CVE-2009-2908, CVE-2009-3547, CVE-2010-1173, CVE-2010-2959, CVE-2010-3437, CVE-2010-3849).
– Notable scanning behaviors focusing on port 22 and the exploitation of legacy Linux kernel flaws.
– Utilization of IRC channels for command-and-control operations associated with infected hosts.
Click here for the full article
