Back to the Future: SSHStalker Botnet Revives 2009 Tactics to Hijack Linux Servers

A previously undocumented Linux botnet has been discovered prowling the internet, using a mix of ancient tactics and modern automation to compromise servers. Dubbed SSHStalker by researchers at Flare, the botnet represents a surprising throwback in cybercrime evolution, proving that even 15-year-old techniques can still be effective if applied with enough persistence.

Flare’s research team uncovered the operation after their honeypots were hit by multiple attacks over a two-month period. What they found was a campaign that “blends 2009-era Internet Relay Chat (IRC) botnet tactics with modern mass-compromise automation”.

In an era where most botnets use sophisticated, encrypted web panels for Command and Control (C2), SSHStalker relies on Internet Relay Chat (IRC)—the text-based chat protocol that was the standard for hackers in the late 1990s and 2000s.

“SSHStalker relies on classic, ‘old-school’ IRC botnet mechanics… indicating the threat actor prioritizes resilient, low-cost command-and-control over modern C2 sophistication,” the report explains.

The malware itself is a cobbled-together collection of legacy code. It uses multiple variants of C-based bots, Perl scripts, and known malware families like Tsunami and Keiten. This “kitchen sink” approach suggests an operator focused on redundancy rather than stealth.

While the backend is retro, the infection method is ruthlessly efficient. SSHStalker employs a “mass-compromise pipeline” that chains a custom Go-based SSH scanner with a rapid infection workflow.

Once a weak SSH password is found, the botnet doesn’t just install one backdoor; it installs a suite of them. “The campaign chains an SSH scanner… with rapid staging (GCC install, compile-and-run workflow)… consistent with a botnet operator optimizing for scale and repeatability,” Flare notes.

The botnet uses “low-effort persistence” mechanisms, such as cron jobs that run every minute, combined with a watchdog model that relaunches the malware if it’s killed.

“Defenders can disrupt it, but must do so comprehensively, or the bot returns within ~60 seconds,” the researchers warn.

Despite this noise, the botnet shows a “strong operational discipline” in how it manages its infrastructure, frequently recycling tools and maintaining long-term access to compromised hosts.

Flare assesses that the operator behind SSHStalker is likely a “mid-tier” actor, potentially based in Romania given the localized artifacts found in the code. They are not developing zero-day exploits, but they don’t need to. By automating the exploitation of weak passwords and using redundant, resilient C2 channels, they have built a functional zombie army from the neglected corners of the internet.

“The threat actor is not developing zero-days or novel rootkits, but demonstrating strong operational discipline in mass compromise workflows,” the report concludes.

Related Posts:

• Report: each device received an average of 50 zombie attacks per day
• Racing the Zombie: PoC Released for Linux Kernel POSIX Timer Vulnerability (CVE-2025-38352)
• Leak: NSA and US Army can capture Tor, I2P, VPNs to monitor Monero users
• Pro-Russian Threat Actors Launch Coordinated DDoS Attacks Against Japanese Organizations