A new wave of GoBruteforcer attacks targets the databases of cryptocurrencies and blockchain projects, putting them into botnets that can brute force user passwords for services such as FTP, MySQL, PostgreSQL, and phpMyAdmin on Linux servers.
“The current wave of campaigns is being driven by two factors: the mass reuse of AI-generated server deployments that propagate common usernames and weak defaults, and the persistence of legacy web stacks such as FTP and XAMPP that expose administrative interfaces with minimal enhancements,” Check Point Research said in an analysis published last week.
GoBruteforcer, also known as GoBrut, was first documented by Palo Alto Networks Unit 42 in March 2023. This document documents the ability to target Unix-like platforms running x86, x64, and ARM architectures to deploy Internet Relay Chat (IRC) bots and web shells for remote access, as well as fetch brute force modules to scan for vulnerable systems and extend the reach of the botnet.
Later, in September 2025, Lumen Technologies’ Black Lotus Labs team reported that some of the infected bots under the control of another malware family known as SystemBC were also found to be part of the GoBruteforcer botnet.
Check Point said it identified a more advanced version of Golang malware in mid-2025 that incorporates a highly obfuscated IRC bot rewritten in a cross-platform programming language, improved persistence mechanisms, process masking techniques, and a dynamic credential list.
The list of credentials includes common username and password combinations that can accept remote login (for example, myuser:Abcd@123 or appeaser:admin123456). These name choices are no coincidence; they are used in database tutorials and vendor documentation, all of which are used to train large-scale language models (LLMs) that generate code snippets with the same default username.
Some of the other usernames in the list are crypto-focused (e.g. cryptouser, appcrypto, crypto_app, and crypto) or target phpMyAdmin panels (e.g. root, wordpress, and wpuser).
“The attackers reuse a small, stable pool of passwords for each campaign, update a list of tasks from that pool, and rotate usernames and niche additions several times a week to pursue different targets,” Check Point said. “Unlike other services, FTP brute force uses a small set of hard-coded credentials embedded in the brute forcer binary. That built-in set points to the web hosting stack and default service account.”
In the activity observed by Check Point, an internet-exposed FTP service on a server running XAMPP is used as an initial access vector to upload a PHP web shell, which is then used to download and run an updated version of an IRC bot using a shell script based on the system architecture. Once a host is successfully infected, it can be used for three different purposes:
Runs the brute force component to attempt FTP, MySQL, Postgres, and phpMyAdmin password logins over the Internet. host and deliver payloads to other compromised systems. Or host an IRC-style control endpoint. Or act as a backup command and control (C2) for resiliency.
Further analysis of the campaign revealed that one of the compromised hosts was used to stage a module that iterated through a list of TRON blockchain addresses and used tronscanapi to query balances.[.]com service to identify accounts with non-zero funds. This shows a concerted effort targeting blockchain projects.
“GoBruteforcer is an example of a broader and persistent problem: a combination of exposed infrastructure, weak credentials, and increasingly automated tools,” Check Point said. “Although the botnet itself is technically simple, its operators benefit from the vast number of misconfigured services that remain online.”
This disclosure comes after GreyNoise revealed that attackers are systematically scanning the Internet for misconfigured proxy servers that could provide access to commercial LLM services.
One of the two campaigns targeted Ollama’s model pull functionality and Twilio SMS webhook integration between October 2025 and January 2026 using a server-side request forgery (SSRF) vulnerability. Based on ProjectDiscovery’s use of OAST infrastructure, we speculate that this activity likely originated from security researchers or bug bounty hunters.
The second set of activities, starting on December 28, 2025, is assessed as a mass enumeration effort to identify exposed or misconfigured LLM endpoints related to Alibaba, Anthropic, DeepSeek, Google, Meta, Mistral, OpenAI, and xAI. Scan started from IP address 45.88.186[.]70 and 204.76.203[.]125.
“Starting December 28, 2025, two IPs began a systematic investigation of 73+ LLM model endpoints,” the threat intelligence firm said. “Over an 11-day period, they generated 80,469 sessions in a coordinated reconnaissance probe for misconfigured proxy servers that could potentially compromise access to commercial APIs.”
Source link
