A new wave of GoBruteforcer (GoBrut) attacks has been discovered by Cybersecurity researchers targeting databases of Cryptocurrency and Blockchain Projects where databases are operated by the use of GoBrut technologies to compromise a vulnerable Linux server into a Distributed Botnet able to brute-force credentials on FTP, MySQL, PostgreSQL, and phpMyAdmin services.
According to Research by CheckPoint Cybersecurity, these recent attacks are a result of two converging trends:
1. Mass reuse of AI-generated server deployment examples which have created repeated usernames and weak default credentials that are being used on multiple websites. (Find out more information about these kinds of examples and their impact on your website by checking our research resources.)
2. Ongoing exposure of Legacy Web Stacks - particularly several XAMPP installations - which leave open FTP and administrative interfaces on the internet with little to no hardening.
From Simple Brute-Force to Persistent Botnet
GoBruteforcer was first discovered in March 2023 by Palo Alto Networks Unit 42, as a type of malware written in Golang that targets Unix-like systems on all x86/x64/ARM architectures. The initial versions of this malware deployed:
1. A command and control (C&C) bot based on IRC;
2. A web-shell for remote access to a system;
3. A brute-force module for identifying other vulnerable hosts.
In September, 2025 Lumen’s Black Lotus Labs discovered that several Systems infected with the System BC Malware were also participating in the GoBruteforcer Distributed Botnet, and also demonstrated that these attacks had similar infrastructures and infrastructure sharing through the two attacks.
A More Sophisticated Golang Malware
Check Point Security has reported on a much-improved version of GoBruteForcer that was discovered in middle of 2025. The version adds the following:
1. An IRC Bot that uses heavily obfuscated code that has been written in Go.
2. A more sophisticated persistence mechanism than was previously found in GoBruteForcer.
3. The ability to use process masking when infecting systems.
4. Daily updates to the list of credentials that will be used by the malware.
The list of credentials contains combinations like myuser:Abcd@123; and appeaser:admin123456; Usernames that are often used by software vendors in their documentation, database tutorial, and sample configuration files.
The researchers have suggested that the reason these two example credentials repeatedly show up in AI generated Deployment Guides is because the AI models are being trained on training data that is representative of what is stored in credential lists and App Security documentation. As a result, it is likely that weak credential defaults are being put into the hands of attackers through Deployment Guides that have been created using AI.
Crypto-Focused Targeting
While there are a number of generic user credentials, the malware has also been discovered to contain user names that were specifically designed for Cryptocurrency systems such as:
1. cryptouser
2. crypto_app
3. appcrypto
4. crypto
When looking for phpMyAdmin panels, the most common account names such as root; wordpress; or wpuser will be heavily targeted by attackers.
Unlike all other services, the FTP resource used by FTP brute forcing does not only rely upon a small set of hard-coded credentials that are embedded directly into the malware, but also strongly indicates that the targeted resource is designed for use with Web Hosting Stacks and default service accounts.
The use of XAMPP as the entry point of an attack
Through our research, we found that there are publicly accessible FTP services on XAMPP-hosted servers where attackers can place their PHP-based Web Shell on the server, which will then download and execute the current version of IRC BOT that is compatible with the XAMPP server architecture.
Once the server has been compromised, the compromised servers are used for the following purposes:
1. To conduct brute force attempts against FTP, MySQL, PostgreSQL, phpMyAdmin
2. To provide a location to host and distribute malware to future victims
3. To serve as IRC command and control (C2) nodes or redundant command and control servers, thus improving the botnet's resilience.
The use of blockchain/cryptocurrency for reconnaissance of compromised hosts
We further observed that one of the compromised hosts was used as a relay for a module that scanned through all TRON blockchain addresses to find addresses that have some amount of currency based on the data provided by tronscanapi.com.
Using tronscanapi.com to look at blockchain addresses suggests that the authors of this attack were more interested in exploiting the cryptocurrency landscape than merely scanning for vulnerable hosts.
According to Check Point, "GoBruteforcer demonstrates a growing and continuing problem with exposed systems and weak authentication combined with an expanding number of automated tools."
Threat of Parallel Scanning LLM Infrastructure
The recent disclosure of GreyNoise’s analysis indicates that threat actors are currently using the Internet to identify systems and services containing mishandled proxy servers connected to a LLM (Large Language Model) API.
Between October 2025 and January 2026, an attackers’ campaign took advantage of a Server-Side Request Forgery (SSRF) vulnerability identified at the Ollama and Twilio integrated links.
This was followed by a second, significantly larger attempt at collecting data undertaken on December 28, 2025, which entailed accessing over 73 LLM endpoints belonging to major LLM providers including OpenAI, Google, Meta, Anthropic, Mistral and xAI.
During an 11-day period, attackers created more than 80,000 unique sessions demonstrating the impact that misconfiguration presents to an organization’s ability to secure its own LLM infrastructure.
Source: The Hacker News
