- GoBruteforcer operators are targeting crypto and blockchain project servers to add them to a botnet that brute-forces FTP, MySQL, PostgreSQL, and phpMyAdmin logins.
- Campaigns exploit weak defaults and reused AI-generated deployment examples, plus exposed stacks like XAMPP, to gain initial access.
- Compromised hosts run brute-force scans, serve payloads, and act as IRC-style control points; some probes search Tron addresses for non-zero balances.
- Separate scanning activity has systematically probed misconfigured LLM endpoints, according to GreyNoise.
What: A new wave of attacks by GoBruteforcer targets database services on Linux servers to add them to a brute-force botnet.
Who: The activity was detailed by Check Point Research.
When/Where: Observations span mid-2025 through early 2026 on internet-exposed hosts.
Why: Operators exploit weak credentials and common defaults to harvest access and search for cryptocurrency funds.
Researchers trace the tool back to an initial report in 2023 and note the Malware evolved into a more obfuscated, cross-platform Golang IRC bot with improved persistence. The campaign uses a rotating list of usernames and reused weak passwords that often appear in tutorials and vendor examples, a feedstock amplified by AI-generated deployment snippets, according to Check Point Research.
Attackers frequently use exposed FTP on XAMPP servers as an entry point to upload a PHP web shell. The shell fetches an updated IRC bot tailored to the host architecture. Infected systems then (1) run brute-force modules against FTP, MySQL, Postgres, and phpMyAdmin, (2) host payloads for further compromise, and (3) operate as backup command-and-control nodes.
One staged module iterates TRON addresses via tronscanapi[.]com to find accounts with funds, indicating a focus on blockchain projects. GreyNoise separately reported methodical scans seeking misconfigured proxy servers that could expose commercial LLM APIs, including probes of providers such as OpenAI, Anthropic, and others.
“GoBruteforcer exemplifies a broader and persistent problem: The combination of exposed infrastructure, weak credentials, and increasingly automated tools,” researchers noted.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Apple Eyes 2026 ATH as Analysts Set Targets to $350 in 2026.
- Monero Rallies to $595; Market Cap Tops $10.8B Amid Delists.
- Crypto ETPs See $454M Outflows; Bitcoin Loses $404M amid Fed
- Anthropic launches Claude for Healthcare with record access.
- Chamath: Musk Could Fold SpaceX Into Tesla, Not IPO by 2026.
