Full Report
A newly documented Linux botnet named SSHStalker is using the IRC (Internet Relay Chat) communication protocol for command-and-control (C2) operations. [...]
Analysis Summary
# Tool/Technique: SSHStalker
## Overview
SSHStalker is a newly documented Linux botnet that utilizes the legacy Internet Relay Chat (IRC) protocol for its Command-and-Control (C2) operations. It prioritizes resilience, scale, and low cost using classic botnet mechanics, including noisy SSH scanning and short cron job persistence.
## Technical Details
- Type: Malware family (Botnet)
- Platform: Linux
- Capabilities: Initial mass compromise via SSH brute-forcing, worm-like propagation, local binary compilation, IRC-based C2, persistence via cron jobs, privilege escalation using old CVEs, AWS key harvesting, cryptomining, and potential DDoS.
- First Seen: Recent documentation (February 2026 context).
## MITRE ATT&CK Mapping
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (IRC usage falls under application layer protocol command channel, though IRC is distinct from standard HTTP/S)
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- T1059.004 - Unix Shell (Implied via cron jobs and execution environment)
- **TA0008 - Lateral Movement**
- T1021 - Remote Services
- T1021.001 - SSH (Used for initial access and propagation)
- **TA0004 - Privilege Escalation**
- T1168 - LoLBAS Bypass (Implied if utilizing compiler tools for evasion)
- T1068 - Exploitation for Privilege Escalation (Using specific CVEs)
- **TA0012 - Credential Access**
- T1528 - Steal Application Access Token (AWS key harvesting)
## Functionality
### Core Capabilities
- **Initial Access & Propagation:** Achieves access via automated SSH scanning and brute-forcing. Uses a Go binary masquerading as `nmap` for deployment and then scans for further SSH targets, exhibiting worm-like spread.
- **C2 Communication:** Uses old-school IRC mechanics, employing multiple hard-coded C2 servers and channels for resilience and redundancy.
- **Persistence:** Establishes persistence using cron jobs set to run every 60 seconds to check and relaunch the main bot process (watchdog mechanism).
- **Local Compilation:** Downloads the GCC toolchain post-infection to compile subsequent payloads directly on the victim device for portability and evasion.
### Advanced Features
- **Payload Staging:** Fetches archives named `GS` and `bootbou` containing variants for orchestration and execution sequencing.
- **Privilege Escalation:** Exploits a back-catalog of 15-year-old Linux kernel CVEs (from 2009-2010) to move from a low-privileged user to higher privileges.
- **Monetization:** Includes kits for cryptomining (specifically PhoenixMiner for Ethereum), performs AWS key harvesting, and conducts website scanning.
- **DDoS Capability:** The botnet structure supports Distributed Denial-of-Service attacks, although they have not been observed in active campaigns yet.
## Indicators of Compromise
- File Hashes: Not specified in the provided text.
- File Names: Go binary masquerading as `nmap`, archives named `GS`, `bootbou`.
- Registry Keys: Not applicable (Linux target).
- Network Indicators: IRC-style outbound connections to hard-coded C2 servers/channels.
- Behavioral Indicators:
- Execution of cron jobs running every 60 seconds from unusual paths.
- Installation and execution of compiler tools (like GCC) on production servers.
- Mass outbound SSH scanning activity.
## Associated Threat Actors
- Not explicitly attributed to a specific group.
- Noted similarities with the Outlaw/Maxlas botnet ecosystem and various Romanian indicators.
## Detection Methods
- **Signature-based detection:** Signatures for known C-based IRC bots or specific payload hashes (if available).
- **Behavioral detection:** Monitoring for outbound IRC traffic alerts, short, frequent cron job executions, and the execution of system compilers (GCC) on hosts where they shouldn't be present.
- **YARA rules:** Not specified in the provided text.
## Mitigation Strategies
- Disable SSH password authentication (enforce key-based authentication).
- Remove compilers (e.g., GCC toolchains) from production server images.
- Enforce strict egress filtering to control outbound connections.
- Restrict execution from temporary filing systems, specifically ‘/dev/shm’.
- Implement monitoring for compiler installation and execution on production servers.
## Related Tools/Techniques
- Classic IRC-based botnets.
- Cryptomining malware utilizing PhoenixMiner.
- Techniques similar to the Outlaw/Maxlas botnet.