There's a new bit of nastiness that's attacking Linux systems, by way of the Internet Relay Chat IRC) communication protocol to execute command-and-control (C2) takeovers.

This new, old-school botnet, called SSHStalker, was discovered by the Flare research team using an SSH honeypot. During a two-month period, Flare detected several attempts revealing a fairly sophisticated operation that used old-school technology with modern automation.

According to the report, SSHStalker chains an SSH scanner with rapid staging to hand off enrollment into IRC channels, and it is optimized for scale.

The extensive report states, "We’ve designated this operation 'SSHStalker' due to its distinctive behavior: The botnet maintained persistent access without executing any observable impact operations, despite having in its arsenal capabilities to launch DDoS attacks and conduct cryptomining." The report continues, "This 'dormant persistence' pattern – infecting systems and establishing control without immediate monetization – differentiates it from typical opportunistic botnet operations and suggests either infrastructure staging, testing phases, or strategic access retention for future use."

Flare further states, “We found a file that indicates almost 7,000 fresh results from an ssh scanner. These results were from January 2026 in a very close proximity to the attack against our honeypot.”

Flare's scan results were dominated by cloud hosting providers, with IP addresses distributed throughout global regions (US, EU, APAC), a pattern that is consistent with "opportunistic automation or disposable attack infrastructure rather than dedicated nation-state or boutique hosting operations."

There are several mitigation suggestions in the report, including such things as monitoring for gcc, make, or build tool execution on production servers; using antivirus solutions to scan for malicious code; checking for cron jobs that execute every minute; and more.