The latest onslaught of GoBruteforcer attacks has been launched on the databases of cryptocurrency and blockchain initiatives with the aim of recruiting them into a botnet that can brute force passwords for different users from their FTP, MySQL, PostgreSQL, or phpMyAdmin credentials on Linux machines.
"This round of campaigns is powered by two components: a massive use of AI generated Server Deployment Samples for repeating common username and weak password use, and a constant presence of old web development platforms such as XAMMP that leave their FTP and admin interfaces insecurely configured," a Check Point Research blog published last week explains.
GoBruteforcer, also known as GoBrut, according to the findings by the cyber security team “Unit 42" of the company “Palo Alto Networks," emerged for the first time in March 2023, and it has the capability of attacking Unix like operating systems that support x86, x64, and ARM processor architecture, which enables it to create an Internet Relay Chat (IRC) bot and web shell for remote desktop connection and download the brute force component for scanning vulnerable targets and increasing the reach of the botnet.
Further reporting in September 2025 by the Black Lotus Labs team at Lumen Technologies showed that a part of the compromised bots infected by a different malware family named SystemBC were also infected with the GoBruteforcer botnet.
However, Check Point stated it discovered a more sophisticated variant of the GoLang malware mid 2025, which includes a highly obfuscated IRC bot with heavy rewriting utilizing the cross platform programming language, and more sophisticated process masking and list of credentials functionalities, among others, integrated into the malware.
List of credentials includes a combination of frequently used usernames and passwords such as ‘myuser:Abcd@123’ or ‘appeaser:admin123456’ that accept remote login. These names have been used in database tutorials and vendor manuals that have all been used to train Large language models to develop the code that uses default usernames.
Among the rest, some deal with cryptocurrency oriented names: cryptouser, appcrypto, crypto_app, crypto; and usernames which are clearly aimed at phpMyAdmin panels: for example, root, wordpress, wpuser.
"The attackers reuse a small, stable password pool for each campaign, refresh per task lists from that pool, and rotate usernames and niche additions several times a week to pursue different targets," Check Point said. "Unlike the other services, FTP brute force uses a small, hard coded set of credentials embedded in the bruteforcer binary. That embedded set points to Web hosting stacks and default service accounts."
In the activity observed by Check Point, an internet exposed FTP service on servers running XAMPP serves as an initial access vector to upload a PHP web shell, which then downloads and executes an updated version of the IRC bot using a shell script based on the system architecture. Once a host becomes infected, it could serve three different uses:
Run the brute forcing module, and try to login to every FTP, MySQL, Postgres, and phpMyAdmin on the internet via password.
Use the host as a repository and serve payloads to other compromised systems, or Serve IRC style control endpoints or serve as a resilience L2 channel serving as a backup C2 Further campaign investigation has revealed that one of the compromised hosts became a host for a module performing iteration over the list of TRON blockchain addresses and balance querying via the tronscanapi[.]com service to look for accounts with funds above zero. That would indicate an effort targeting blockchain projects.
"GoBruteforcer exemplifies a broader and persistent problem: The combination of exposed infrastructure, weak credentials, and increasingly automated tools," Check Point said. "While the botnet itself is technically straightforward, its operators benefit from the vast number of misconfigured services that remain online."
That's the disclosure as GreyNoise announced that threat actors are scanning the internet relentlessly in search of poorly configured proxy servers to gain illicit access to commercial LLM services.
One of those campaigns has exploited SSRF bugs to hit Ollama's model pull functionality and Twilio SMS webhook integrations from October 2025 through January 2026. Given the fact that ProjectDiscovery's OAST infrastructure was in play, the activity likely hails from security researchers or bug bounty hunters.
The second wave of activity, which began on December 28, 2025, is believed to be a high volume enumeration effort targeting exposed or improperly configured LLM endpoints attributed to Alibaba, Anthropic, DeepSeek, Google, Meta, Mistral, OpenAI, and xAI. Scans were coming from 45.88.186[.]70 and 204.76.203[.]125.
"Starting on December 28, 2025, two IPs launched a systematic probe of 73+ LLM model endpoints," said the threat intelligence firm. "In eleven days they generated 80,469 sessions systematic reconnaissance
👉🏻 Found this article interesting? Follow us on Facebook, Twitter and whatsapp to read more exclusive content we post.
