Monday 06 July 2026 20:07:13 GMT+02:00

Netcrook

HomeManifesto
News
Techcrook
Geocrook
WikicrookTeamAppContact
EnglishItalianoArabic

Malware & Botnets

Old School, New Rules: How SSH Automation Revived the Classic IRC Botnet

Published: 12 February 2026 09:38Category: Malware & BotnetsAuthor: TRUSTBREAKER

A modern Linux botnet campaign leverages decades-old tactics-proving legacy cybercrime never truly dies.

Under the digital surface, a new cyber threat is quietly rewriting the rules of botnet warfare. Dubbed "SSHStalker" by security researchers, this campaign is breathing new life into a relic of the early internet: the IRC-based botnet. But unlike its stealthier, more sophisticated descendants, SSHStalker is succeeding not by hiding in the shadows-but by automating brute force, thriving on scale, and weaponizing forgotten vulnerabilities.

The SSHStalker operation is a study in paradox. Despite using outdated malware toolkits and IRC (Internet Relay Chat) servers for command and control, its pipeline is ruthlessly efficient. It starts with a Golang-based scanner, disguised as the legitimate “nmap” utility, prowling the internet for systems with SSH (port 22) wide open. Once a vulnerable host is found, the worm-like malware installs itself and immediately begins scanning for new victims, creating a self-sustaining infection loop.

The infection doesn’t stop with a single payload. After breaching a server, SSHStalker grabs the GNU Compiler Collection (GCC) and compiles several C-based IRC bots directly on the target machine. These bots connect to multiple IRC channels using hard-coded credentials, ensuring that even if one control server goes dark, the botnet’s operators retain access. Additional payloads include Perl bots, privilege escalation scripts, and utilities to scrub logs-making forensic analysis a headache for defenders.

SSHStalker’s approach is noisy but persistent. By installing a cron job set to execute every minute, the malware guarantees its survival. Kill the process, and it’s back in 60 seconds-unless defenders scrub the cron job itself. The campaign also ships with a dusty arsenal of Linux kernel exploits from the late 2000s, still effective against unpatched legacy servers and forgotten VPS images. These exploits, paired with rootkits and cryptomining tools, hint at a “compromise now, monetize later” strategy.

Researchers note striking similarities to older Romanian botnets, though direct attribution remains elusive. The campaign’s toolkit even includes a web reconnaissance utility designed to hunt for exposed AWS credentials-evidence that the operators are not just after SSH keys, but any foothold into cloud infrastructure.

For defenders, the warning signs are clear: unexpected GCC activity, binaries appearing in temporary directories, persistent outbound IRC connections, and relentless cron jobs. Security experts urge organizations to disable SSH password logins, enforce key-only access, restrict compilers, and monitor for suspicious process activity-especially in cloud environments where legacy systems still lurk.

SSHStalker is a stark reminder: in cybersecurity, what’s old can be new again. With automation and scale, even retro attack methods can threaten today’s cloud-driven world-especially when defenders let their guard down.

WIKICROOK

  • IRC (Internet Relay Chat): IRC is an old chat protocol still used today, often abused by hackers to control botnets and coordinate cyberattacks.
  • SSH (Secure Shell): SSH (Secure Shell) is a protocol that allows users to securely access and control computers remotely over a network, protecting data with encryption.
  • Cron job: A Cron Job is an automated task set to run at scheduled times on Unix-like systems, commonly used for maintenance or by hackers for persistence.
  • Rootkit: A rootkit is stealthy malware that hides itself on a device, allowing attackers to secretly control the system and evade detection.
  • GCC (GNU Compiler Collection): GCC is an open-source compiler suite for several languages, often used in development but sometimes abused by attackers to compile malware on target systems.