SSHStalker IRC-controlled Linux botnet
Malware Activity
Summary
Hide ▲
Show ▼
Researchers disclosed SSHStalker, a Linux botnet that uses IRC C2 and automated SSH scanning to compromise exposed systems, increasing the risk of persistent control across legacy environments. The toolkit pairs mass-compromise automation with old Linux kernel exploits and log-tampering features that reduce forensic visibility. It also includes a keep-alive component that relaunches the malware quickly if defenders terminate it.
Related Happenings
TinyRCT backdoor with persistence, exfiltration, and self-deletion
Malware Activity
H score22
First: 26.06.2026 13:30
Last: 26.06.2026 13:30
Sources 1
About this happening:
The **TinyRCT** backdoor appeared in a **2025** intrusion operation, adding stealthy **persistent access** and **control** to the attackers' toolkit. It also supports **command ex...
TinyRCT backdoor with persistence, exfiltration, and self-deletion
Malware ActivityAbout this happening: The **TinyRCT** backdoor appeared in a **2025** intrusion operation, adding stealthy **persistent access** and **control** to the attackers' toolkit. It also supports **command ex...
China-nexus agentic tools attack campaign targeting Japanese technology and East Asian cybersecurity organizations
Campaign
H score31
First: 11.05.2026 16:00
Last: 11.05.2026 16:00
Sources 1
About this happening:
A **China-nexus actor** used **agentic tools** in a targeted attack against a **Japanese technology firm** and an **East Asian cybersecurity platform**, showing how AI-driven orch...
China-nexus agentic tools attack campaign targeting Japanese technology and East Asian cybersecurity organizations
CampaignAbout this happening: A **China-nexus actor** used **agentic tools** in a targeted attack against a **Japanese technology firm** and an **East Asian cybersecurity platform**, showing how AI-driven orch...
Linux kernel Dirty Frag blocklist mitigation
Advisory/Mitigation
H score41
First: 08.05.2026 08:12
Last: 08.05.2026 08:12
Sources 1
About this happening:
**CloudLinx** and Linux distribution advisories now recommend blocklisting **esp4**, **esp6**, and **rxrpc** to reduce exposure to the **Dirty Frag** Linux kernel **LPE** while pa...
Linux kernel Dirty Frag blocklist mitigation
Advisory/MitigationAbout this happening: **CloudLinx** and Linux distribution advisories now recommend blocklisting **esp4**, **esp6**, and **rxrpc** to reduce exposure to the **Dirty Frag** Linux kernel **LPE** while pa...
Nexcorium Mirai botnet activity on TBK DVR devices
Malware Activity
H score27
First: 18.04.2026 09:01
Last: 18.04.2026 09:01
Sources 1
About this happening:
**Nexcorium**, a **Mirai variant**, is now being deployed against **TBK DVR-4104** and **DVR-4216** devices by exploiting **CVE-2024-3721**, turning compromised IoT hardware into...
Nexcorium Mirai botnet activity on TBK DVR devices
Malware ActivityAbout this happening: **Nexcorium**, a **Mirai variant**, is now being deployed against **TBK DVR-4104** and **DVR-4216** devices by exploiting **CVE-2024-3721**, turning compromised IoT hardware into...
Linux kernel AppArmor confused deputy vulnerabilities CrackArmor security flaw
Vulnerability
H score56
First: 13.03.2026 10:18
Last: 13.03.2026 10:18
Sources 1
About this happening:
Researchers disclosed **CrackArmor**, nine **confused deputy** flaws in the **Linux kernel's AppArmor module** that can let **unprivileged users** bypass protections, gain **root*...
Linux kernel AppArmor confused deputy vulnerabilities CrackArmor security flaw
VulnerabilityAbout this happening: Researchers disclosed **CrackArmor**, nine **confused deputy** flaws in the **Linux kernel's AppArmor module** that can let **unprivileged users** bypass protections, gain **root*...
Timeline
-
11.02.2026 11:56 2 articles · 4mo ago
SSHStalker botnet disclosure
Initial DisclosureResearchers disclosed SSHStalker, a Linux botnet that uses IRC command-and-control and automated SSH scanning to co-opt susceptible systems, enroll them in IRC channels, and maintain persistent access without follow-on post-exploitation behavior. The toolkit includes log tampering with utmp/wtmp/lastlog, a keep-alive component that relaunches the main malware process within 60 seconds if terminated, a Golang scanner that targets port 22, and payloads such as an IRC-controlled bot and a Perl file bot tied to an UnrealIRCd IRC Server. The malware family also carries a catalog of legacy Linux kernel exploits, including CVE-2009-2692, CVE-2009-2698, CVE-2010-3849, CVE-2010-1173, CVE-2009-2267, CVE-2009-2908, CVE-2009-3547, CVE-2010-2959, and CVE-2010-3437, while staging infrastructure reportedly contained rootkits, cryptocurrency miners, EnergyMech, and tooling for stealing exposed AWS secrets; analysis also suggested possible Romanian origin and overlap with Outlaw aka Dota.
Show sources
- SSHStalker Botnet Uses IRC C2 to Control Linux Systems via Legacy Kernel Exploits — thehackernews.com — 11.02.2026 11:56
- SSHStalker Botnet Uses IRC C2 to Control Linux Systems via Legacy Kernel Exploits — thehackernews.com — 11.02.2026 11:56