SSHStalker Linux botnet with IRC C2 and SSH brute forcing
Malware Activity
Summary
Hide ▲
Show ▼
The SSHStalker Linux botnet now uses IRC for command-and-control, giving operators a low-cost but resilient way to manage infected hosts. It spreads through SSH scanning and brute forcing, then uses cron-based persistence and payload modules to keep control across Linux systems. Researchers also observed nearly 7,000 bot scans, mainly against Oracle Cloud infrastructure, showing broad opportunistic reach. The botnet’s toolkit adds privilege escalation, AWS key harvesting, and PhoenixMiner, raising the risk of follow-on abuse and monetization.
Related Happenings
Quasar Linux (QLNX) Linux RAT targeting developer credentials
Malware Activity
First: 06.05.2026 12:48
Last: 06.05.2026 12:48
Sources 1
About this happening:
The **Quasar Linux (QLNX)** RAT has been identified as a **Linux backdoor** that can steal **developer credentials** and compromise software-supply-chain publishing pipelines. It...
Quasar Linux (QLNX) Linux RAT targeting developer credentials
Malware ActivityAbout this happening: The **Quasar Linux (QLNX)** RAT has been identified as a **Linux backdoor** that can steal **developer credentials** and compromise software-supply-chain publishing pipelines. It...
AWS Bedrock AgentCore Code Interpreter DNS exfiltration and covert C2 in Sandbox Mode
Technical Analysis
First: 16.03.2026 15:00
Last: 16.03.2026 15:00
Sources 1
About this happening:
Researchers demonstrated **DNS-based exfiltration** and covert **C2** against **AWS Bedrock AgentCore Code Interpreter**, showing cloud AI code execution environments can still le...
AWS Bedrock AgentCore Code Interpreter DNS exfiltration and covert C2 in Sandbox Mode
Technical AnalysisAbout this happening: Researchers demonstrated **DNS-based exfiltration** and covert **C2** against **AWS Bedrock AgentCore Code Interpreter**, showing cloud AI code execution environments can still le...
GhostLoader RAT-stealer via @openclaw-ai/openclawai
Malware Activity
First: 09.03.2026 20:31
Last: 09.03.2026 20:31
Sources 1
About this happening:
A malicious **@openclaw-ai/openclawai** npm package is delivering **GhostLoader** to **macOS** hosts, enabling **credential theft**, **browser-session cloning**, and persistent re...
GhostLoader RAT-stealer via @openclaw-ai/openclawai
Malware ActivityAbout this happening: A malicious **@openclaw-ai/openclawai** npm package is delivering **GhostLoader** to **macOS** hosts, enabling **credential theft**, **browser-session cloning**, and persistent re...
Atomic MacOS Stealer (AMOS) distribution through AI-app lures, SEO poisoning, and supply-chain abuse
Malware Activity
First: 12.02.2026 16:25
Last: 12.02.2026 16:25
Sources 1
About this happening:
**Atomic MacOS Stealer (AMOS)** is being distributed to **macOS users** through multiple delivery paths, including **fraudulent GitHub repositories**, **SEO poisoning**, **malvert...
Atomic MacOS Stealer (AMOS) distribution through AI-app lures, SEO poisoning, and supply-chain abuse
Malware ActivityAbout this happening: **Atomic MacOS Stealer (AMOS)** is being distributed to **macOS users** through multiple delivery paths, including **fraudulent GitHub repositories**, **SEO poisoning**, **malvert...
SSHStalker IRC-controlled Linux botnet
Malware Activity
First: 11.02.2026 11:56
Last: 11.02.2026 11:56
Sources 1
About this happening:
Researchers disclosed **SSHStalker**, a **Linux botnet** that uses **IRC C2** and automated **SSH scanning** to compromise exposed systems, increasing the risk of persistent contr...
SSHStalker IRC-controlled Linux botnet
Malware ActivityAbout this happening: Researchers disclosed **SSHStalker**, a **Linux botnet** that uses **IRC C2** and automated **SSH scanning** to compromise exposed systems, increasing the risk of persistent contr...
Timeline
-
11.02.2026 01:09 2 articles · 3mo ago
SSHStalker Linux botnet disclosed with IRC C2 and SSH brute forcing
Initial DisclosureResearchers at Flare documented SSHStalker, a Linux botnet that uses IRC for command-and-control, automated SSH scanning and brute forcing with a Go binary masquerading as nmap, on-host compilation with GCC, cron-based persistence every 60 seconds, and follow-on modules for privilege escalation, AWS key harvesting, website scanning, and PhoenixMiner deployment. Flare also noted nearly 7,000 bot scans from January, mostly against Oracle Cloud infrastructure, while the bots currently connect to C2 and then idle, suggesting testing or access hoarding.
Show sources
- New Linux botnet SSHStalker uses old-school IRC for C2 comms — www.bleepingcomputer.com — 11.02.2026 01:09
- New Linux botnet SSHStalker uses old-school IRC for C2 comms — www.bleepingcomputer.com — 11.02.2026 01:09