The Silent Infiltration: GoBruteforcer’s Assault on Crypto Projects
A new and insidious wave of cyberattacks is sweeping across the digital landscape, with the GoBruteforcer botnet at its helm. This sophisticated threat is specifically targeting the databases of cryptocurrency and blockchain projects, co-opting them into a vast network capable of brute-forcing user passwords for critical services like FTP, MySQL, PostgreSQL, and phpMyAdmin on Linux servers. The alarming efficiency of these campaigns is fueled by a confluence of factors: the widespread reuse of AI-generated server deployment examples that inadvertently propagate common usernames and weak default settings, and the enduring presence of legacy web stacks such as XAMPP, which often expose FTP and administrative interfaces with minimal security hardening.
GoBruteforcer: A Persistent and Evolving Threat
First documented by Palo Alto Networks Unit 42 in March 2023, GoBruteforcer (also known as GoBrut) quickly established its prowess in targeting Unix-like platforms across x86, x64, and ARM architectures. Its initial capabilities included deploying an Internet Relay Chat (IRC) bot, a web shell for remote access, and a brute-force module designed to scan for vulnerable systems and expand the botnet’s reach. Further research by Black Lotus Labs in September 2025 revealed an unsettling overlap, with a significant portion of infected bots under the control of the SystemBC malware family also found to be part of the GoBruteforcer botnet.
Check Point Research, however, identified an even more advanced iteration of the Golang malware in mid-2025. This upgraded version boasts a heavily obfuscated IRC bot, rewritten in the cross-platform Go language, alongside improved persistence mechanisms, process-masking techniques, and dynamically updated credential lists. These lists are not random; they combine common usernames and passwords (e.g., myuser:Abcd@123 or appeaser:admin123456) that are frequently found in database tutorials and vendor documentation. Crucially, these very examples have been used to train Large Language Models (LLMs), leading them to reproduce code snippets featuring these insecure default usernames.
The AI Connection: Unwittingly Aiding Attackers
The choice of credentials used by GoBruteforcer operators is far from arbitrary. Beyond generic defaults, the lists include cryptocurrency-focused usernames such as cryptouser, appcrypto, crypto_app, and crypto, as well as those targeting phpMyAdmin panels like root, wordpress, and wpuser. Check Point notes that attackers maintain a small, stable pool of passwords for each campaign, refreshing per-task lists and rotating usernames and niche additions multiple times a week to pursue diverse targets. Interestingly, FTP brute-force attacks utilize a smaller, hardcoded set of credentials embedded directly within the binary, specifically targeting web-hosting stacks and default service accounts.
Anatomy of an Attack: How GoBruteforcer Operates
In the activity observed by Check Point, an internet-exposed FTP service on servers running XAMPP serves as the initial access vector. Threat actors upload a PHP web shell, which then facilitates the download and execution of an updated IRC bot via a shell script tailored to the system architecture. Once a host is successfully compromised, it becomes a versatile asset within the botnet, capable of:
- Running the brute-force component to attempt password logins for FTP, MySQL, Postgres, and phpMyAdmin across the internet.
- Hosting and serving payloads to other compromised systems.
- Hosting IRC-style control endpoints or acting as a backup command-and-control (C2) for enhanced resilience.
Further analysis has uncovered a chilling development: one compromised host was used to stage a module that iterates through a list of TRON blockchain addresses, querying balances via the tronscanapi[.]com service to identify accounts with non-zero funds. This unequivocally demonstrates a concerted and targeted effort against blockchain projects, highlighting the financial motivations behind these attacks.
A Broader Cyber Landscape: The LLM Proxy Scan Threat
GoBruteforcer, while technically straightforward, exemplifies a pervasive problem: the dangerous combination of exposed infrastructure, weak credentials, and increasingly automated tools. Its operators thrive on the sheer volume of misconfigured services left vulnerable online. This disclosure arrives amidst a parallel warning from GreyNoise, revealing that threat actors are systematically scanning the internet for misconfigured proxy servers that could grant illicit access to commercial LLM services.
Two distinct campaigns have been identified. One, active between October 2025 and January 2026, leveraged server-side request forgery (SSRF) vulnerabilities to target Ollama’s model pull functionality and Twilio SMS webhook integrations. Attributed possibly to security researchers or bug bounty hunters due to the use of ProjectDiscovery’s OAST infrastructure, this campaign highlights the exploratory nature of some cyber activities. The second, more concerning activity, commencing December 28, 2025, is assessed as a high-volume enumeration effort. Originating from IP addresses 45.88.186[.]70 and 204.76.203[.]125
, this systematic reconnaissance targets over 73 LLM model endpoints associated with major players like Alibaba, Anthropic, DeepSeek, Google, Meta, Mistral, OpenAI, and xAI. In just eleven days, these IPs generated 80,469 sessions, methodically hunting for misconfigured proxy servers that could leak access to commercial APIs.
Fortifying Defenses: A Call to Action
The GoBruteforcer and LLM proxy scanning campaigns serve as stark reminders of the ever-present and evolving cyber threat landscape. Organizations and individuals alike must prioritize robust security practices. This includes moving beyond default credentials, implementing strong, unique passwords, regularly patching and updating systems, and conducting thorough security audits to identify and mitigate exposed services. In an era where even AI can inadvertently contribute to vulnerabilities, vigilance and proactive defense are paramount to safeguarding digital assets.
For more details, visit our website.
Source: Link
