A recently identified Linux botnet called SSHStalker uses automation to compromise servers via SSH and restores control over Internet Relay Chat (IRC). It primarily works by guessing weak or frequently used passwords, after which it uses each host as a starting point for additional scans and installations. Attackers released a Golang binary called "nmap" in early 2026 honeypot intrusions, which actually probes port 22 to discover new targets.

In order to deploy IRC bots and helper tools, they then unpacked layered archives like GS and bootbou.tgz, compiled small C files, and pulled down GCC. Nearly 7,000 new SSH scan results from January 2026 were also cited in the staging data, many of which included IP addresses in wide cloud hosting ranges.

An ASCII image discovered in one of the threat actor's files (Source: Flare) After comparing its samples, flow, and infrastructure to public reports and popular malware collections, Flare researchers discovered that this cluster was previously unreported. According to them, the operation is scale-first, composed of cobbled-together parts that put low cost and uptime ahead of stealth, and it is repeatable across Linux builds. Even when there was minimal indication of operator tasking, they observed "dormant persistence," with systems enrolled in control channels.

The build-and-run pipeline is monitored by the "SSHStalker's attack flow," which includes redundant servers and channels as well as several IRC bot variations written in C and Perl.

The attack flow of SSHStalker (Source: Flare) The same kit also includes older Linux 2.6.x exploits that are still functional on unrecognized systems, as well as log cleaners that target shell history and utmp/wtmp/lastlog records. tenacity that resurfaces Persistence is direct but efficient: In order to execute an update watchdog, SSHStalker adds a cron job that runs once every minute and logs its working directory. The script checks a PID file and restarts the runner if defenders kill the main process, usually regaining control in about 60 seconds.

Responders must remove every component of the kit due to its rapid recovery, or the bot will return before incident work is completed.

The "Indicators of Compromise" illustrates the workable solution, which is to eliminate the one-minute cron entry, erase the entire kit directory (typically located in /dev/shm), and search for services or init scripts that were added by the "distro" helper. Disable SSH password authentication, implement key-based access, rate-limit brute-force attempts, and limit SSH exposure to trusted networks in order to stop re-entry. Notify hosts of unexpected GCC or make runs from user directories, /tmp, or /dev/shm, as well as on newly compiled binaries that run minutes after compilation.

Use egress filtering at the network edge to prevent servers from maintaining persistent outgoing TCP sessions to unidentified IRC infrastructure, and keep an eye out for IRC client registration and channel joins. Set ZeroOwl as a Preferred Source in Google and use X, LinkedIn, and LinkedIn to receive more real-time updates.