Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

SSHStalker IRC-controlled Linux botnet

Malware Activity
First reported
Last updated
Happening score
H score 28
1 unique sources, 1 articles

Summary

Hide ▲

Researchers disclosed SSHStalker, a Linux botnet that uses IRC C2 and automated SSH scanning to compromise exposed systems, increasing the risk of persistent control across legacy environments. The toolkit pairs mass-compromise automation with old Linux kernel exploits and log-tampering features that reduce forensic visibility. It also includes a keep-alive component that relaunches the malware quickly if defenders terminate it.

Related Happenings

China-nexus agentic tools attack campaign targeting Japanese technology and East Asian cybersecurity organizations

Campaign
First: 11.05.2026 16:00 Last: 11.05.2026 16:00 Sources 1

About this happening: A **China-nexus actor** used **agentic tools** in a targeted attack against a **Japanese technology firm** and an **East Asian cybersecurity platform**, showing how AI-driven orch...

Open Happening

Linux kernel Dirty Frag blocklist mitigation

Advisory/Mitigation
First: 08.05.2026 08:12 Last: 08.05.2026 08:12 Sources 1

About this happening: **CloudLinx** and Linux distribution advisories now recommend blocklisting **esp4**, **esp6**, and **rxrpc** to reduce exposure to the **Dirty Frag** Linux kernel **LPE** while pa...

Open Happening

Nexcorium Mirai botnet activity on TBK DVR devices

Malware Activity
First: 18.04.2026 09:01 Last: 18.04.2026 09:01 Sources 1

About this happening: **Nexcorium**, a **Mirai variant**, is now being deployed against **TBK DVR-4104** and **DVR-4216** devices by exploiting **CVE-2024-3721**, turning compromised IoT hardware into...

Open Happening

Linux kernel AppArmor confused deputy vulnerabilities CrackArmor security flaw

Vulnerability
First: 13.03.2026 10:18 Last: 13.03.2026 10:18 Sources 1

About this happening: Researchers disclosed **CrackArmor**, nine **confused deputy** flaws in the **Linux kernel's AppArmor module** that can let **unprivileged users** bypass protections, gain **root*...

Open Happening

Remcos RAT variant with real-time surveillance and evasion

Malware Activity
First: 19.02.2026 18:30 Last: 19.02.2026 18:30 Sources 1

About this happening: A newly observed **Remcos RAT** variant now enables **real-time surveillance** on compromised **Windows** systems, increasing the risk of immediate **webcam monitoring** and **liv...

Open Happening

Timeline

  1. 11.02.2026 11:56 2 articles · 3mo ago

    SSHStalker botnet disclosure

    Initial Disclosure

    Researchers disclosed SSHStalker, a Linux botnet that uses IRC command-and-control and automated SSH scanning to co-opt susceptible systems, enroll them in IRC channels, and maintain persistent access without follow-on post-exploitation behavior. The toolkit includes log tampering with utmp/wtmp/lastlog, a keep-alive component that relaunches the main malware process within 60 seconds if terminated, a Golang scanner that targets port 22, and payloads such as an IRC-controlled bot and a Perl file bot tied to an UnrealIRCd IRC Server. The malware family also carries a catalog of legacy Linux kernel exploits, including CVE-2009-2692, CVE-2009-2698, CVE-2010-3849, CVE-2010-1173, CVE-2009-2267, CVE-2009-2908, CVE-2009-3547, CVE-2010-2959, and CVE-2010-3437, while staging infrastructure reportedly contained rootkits, cryptocurrency miners, EnergyMech, and tooling for stealing exposed AWS secrets; analysis also suggested possible Romanian origin and overlap with Outlaw aka Dota.

    Show sources
    Open in new tab