Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

SSHStalker IRC botnet mass-compromise campaign

Campaign
First reported
Last updated
Happening score
H score 46
1 unique sources, 1 articles

Summary

Hide ▲

SSHStalker is now tied to a coordinated mass-compromise campaign that uses SSH scanning and IRC-based control to enroll vulnerable systems. The operation matters because it is built to co-opt susceptible systems at scale across legacy Linux environments rather than just run a single botnet instance. It also shows persistent access and log-cleaning behavior that can help the operator retain footholds and reduce visibility. The activity expands the risk to neglected infrastructure that still exposes port 22 and older kernel weaknesses.

Related Happenings

SSHStalker IRC-controlled Linux botnet

Malware Activity
First: 11.02.2026 11:56 Last: 11.02.2026 11:56 Sources 1

How related: Cybersecurity researchers have disclosed details of a new botnet operation called SSHStalker that relies on the Internet Relay Chat (IRC) communication protocol for command-and-control (C2) purposes.

About this happening: Researchers disclosed **SSHStalker**, a **Linux botnet** that uses **IRC C2** and automated **SSH scanning** to compromise exposed systems, increasing the risk of persistent contr...

Open Happening

SSHStalker Linux botnet with IRC C2 and SSH brute forcing

Malware Activity
First: 11.02.2026 01:09 Last: 11.02.2026 01:09 Sources 1

About this happening: The **SSHStalker** **Linux botnet** now uses **IRC** for command-and-control, giving operators a low-cost but resilient way to manage infected hosts. It spreads through **SSH scan...

Open Happening

TeamPCP cloud-native exploitation campaign

Campaign
First: 09.02.2026 10:37 Last: 09.02.2026 10:37 Sources 1

About this happening: **TeamPCP** is a **cloud-native supply-chain campaign** that abuses exposed **Docker APIs**, **Kubernetes clusters**, **Ray dashboards**, **Redis servers**, and **React2Shell (CVE...

Latest development: 23.03.2026 10:31

Researchers uncovered malicious Trivy Docker Hub image tags 0.69.4, 0.69.5, and 0.69.6 tied to TeamPCP; 0.69.5 and 0.69.6 were pushed on March 22 without corresponding GitHub releases or tags. The same reporting says TeamPCP used a compromised service account token to deface all 44 internal repositories in Aqua Security's aquasec-com GitHub organization by renaming them with the tpcp-docs- prefix and exposing them publicly.

Open Happening

React/Next.js applications React2Shell RCE flaw (CVE-2025-55182)

Vulnerability
First: 09.02.2026 10:37 Last: 09.02.2026 10:37 Sources 1

About this happening: **React2Shell (CVE-2025-55182)** is being **heavily exploited** in **React Server Components (RSC)**, with Huntress observing attackers deliver **cryptocurrency miners** and new m...

Latest development: 09.03.2026 23:45

Google reports that newly disclosed third-party flaws are increasingly being exploited for initial access to cloud environments, with React2Shell (CVE-2025-55182) and CVE-2025-24893 highlighted as frequent RCE examples. The report says attackers are weaponizing new flaws within days, with cryptominers observed within 48 hours of vulnerability disclosure.

Open Happening

Timeline

  1. 11.02.2026 11:56 2 articles · 3mo ago

    SSHStalker botnet disclosure

    Initial Disclosure

    Cybersecurity researchers disclosed a new botnet operation called SSHStalker that targets susceptible Linux systems, uses IRC for command-and-control, and recruits hosts with an SSH scanner and other scanners into IRC channels. The toolkit also includes log tampering, a keep-alive relaunch component, legacy Linux kernel exploits from 2009–2010, and payloads tied to IRC control and flood-style traffic attacks, indicating a mass-compromise campaign built for persistent access on neglected infrastructure.

    Show sources
    Open in new tab