SSHStalker botnet brute-forces its way onto 7,000 Linux machines
Summary
SSHStalker is a botnet that compromises Linux servers by brute-forcing weak SSH passwords (a method of repeatedly guessing login credentials), affecting at least 7,000 machines by January. The botnet combines old IRC (Internet Relay Chat, a text communication protocol) tactics with modern automation to deploy malware, rootkits (software that gives attackers deep system access), and exploits, though it hasn't yet been used for financial gain. Security experts emphasize that the attack succeeds because organizations neglect basic security practices like strong authentication and patching old vulnerabilities.
Solution / Mitigation
According to Flare researcher Assaf Morag, SSHStalker can be stopped by: (1) disabling SSH password authentication and replacing it with SSH-key based authentication, or hiding password logins behind a VPN; (2) implementing SSH brute-force rate limiting (slowing down repeated login attempts); (3) monitoring who is trying to access internet-connected Linux servers; and (4) limiting remote access to servers to specific IP ranges. Security experts also recommend: killing password-based SSH access entirely and moving to key-based authentication or solutions with short-lived credentials or identity-aware proxies; aggressively inventorying IT assets; prioritizing patching of known vulnerabilities; ensuring no compilers on production servers; alerting on IRC-like traffic; implementing cron/systemd integrity monitoring on Linux servers; and creating a legacy Linux eradication plan.
Classification
Original source: https://www.csoonline.com/article/4130967/sshstalker-botnet-brute-forces-its-way-onto-7000-linux-machines.html
First tracked: February 12, 2026 at 02:20 PM
Classified by LLM (prompt v3) · confidence: 95%