Details of a new botnet operation known as SSHStalker, which uses the Internet Relay Chat (IRC) communication protocol for command-and-control (C2) purposes, have been made public by cybersecurity researchers This article explores known sshstalker uses. . "The toolset combines stealth helpers with legacy-era Linux exploitation: The actor maintains a sizable back-catalog of Linux 2.6.x-era exploits (2009–2010 CVEs) in addition to log cleaners (utmp/wtmp/lastlog tampering) and rootkit-class artifacts," according to cybersecurity firm Flare.

"These are not very useful against contemporary stacks, but they are still effective against long-tail legacy environments and "forgotten" infrastructure. "SSHStalker is an automated mass-compromise operation that uses an SSH scanner and other easily accessible scanners to co-opt vulnerable systems into a network and enroll them in IRC channels. It combines IRC botnet mechanics with this technique."

Nevertheless, SSHStalker has been observed to sustain continuous access without any subsequent post-exploitation activity, in contrast to other campaigns that generally use such botnets for opportunistic endeavors like distributed denial-of-service (DDoS) attacks, proxyjacking, or cryptocurrency mining. It is distinguished by this dormant behavior, which suggests that the compromised infrastructure may be being used for testing, staging, or the retention of strategic access for later use. In order to expand its reach in a worm-like manner, SSHStalker's main component is a Golang scanner that looks for servers with open SSH on port 22.

A number of payloads are also dropped, such as variations of an IRC-controlled bot and a Perl file bot that joins a control channel, connects to an UnrealIRCd IRC Server, and awaits instructions to execute flood-style traffic attacks and commandeer the bots. The use of C program files to purify SSH connection logs and remove evidence of malicious activity from logs in order to lessen forensic visibility is another characteristic of the attacks. Additionally, if a security tool terminates the main malware process, the malware toolkit's "keep-alive" component makes sure it is restarted within 60 seconds.

Notably, SSHStalker combines mass compromise automation with a list of 16 different Linux kernel vulnerabilities, some of which date back to 2009. The exploit module makes use of several vulnerabilities, including CVE-2009-2692, CVE-2009-2698, CVE-2010-3849, CVE-2010-1173, CVE-2009-2267, CVE-2009-2908, CVE-2009-3547, CVE-2010-2959, and CVE-2010-3437. Flare's examination of the threat actor's staging infrastructure has revealed a vast collection of publicly available malware samples and open-source offensive tools.

These consist of rootkits to help with persistence and stealth. Miners of cryptocurrency A Python script that uses a "website grabber" binary to steal Amazon Web Services (AWS) secrets from specific websites EnergyMech is an IRC bot that can execute commands remotely and provides C2. The presence of "Romanian-style nicknames, slang patterns, and naming conventions inside IRC channels and configuration wordlists" raises the possibility that the threat actor responsible for the activity is Romanian.Furthermore, there are notable similarities between the operational fingerprint and that of the hacker collective Outlaw (also known as Dota).

By primarily using C for the core bot and low-level components, shell for orchestration and persistence, and limited Python and Perl usage for utility or supporting automation tasks inside the attack chain and running the IRCbot, Flare claimed that "SSHStalker does not appear to focus on novel exploit development but instead demonstrates operational control through mature implementation and orchestration." "The threat actor is exhibiting strong operational discipline in mass compromise workflows, infrastructure recycling, and long-tail persistence across heterogeneous Linux environments, rather than creating zero-days or novel rootkits."