Researchers at Check Point are tracking a new wave of activity linked to the GoBruteforcer (GoBrut) botnet, this time focusing on servers that power cryptocurrency exchanges, blockchain platforms and Web3 applications. The operators are attempting to compromise Linux servers and enroll them into a botnet designed to perform massive brute-force attacks against FTP, MySQL, PostgreSQL and phpMyAdmin administration panels.
New GoBruteforcer Campaigns Against Cryptocurrency Infrastructure
According to Check Point, the GoBruteforcer botnet is now systematically scanning infrastructure related to crypto exchanges, dApp platforms and blockchain projects. Once a server is compromised, it becomes a node in the botnet and starts automatically guessing credentials for services that are critical to data integrity and availability, including transaction databases and administrative consoles.
Attacks against phpMyAdmin and similar web-based database consoles are particularly dangerous. A successful compromise can allow attackers to export entire databases, modify or delete records, deploy web shells and use the server as a beachhead for lateral movement inside the organization’s network.
How AI-Generated Configurations and Legacy Stacks Increase the Risk
The latest GoBruteforcer campaigns are amplified by two systemic issues. First, many targets rely on boilerplate configurations generated by AI tools or copied from popular tutorials. These examples often reuse the same usernames and weak default settings, which are then deployed directly into production without hardening.
Second, a large number of organizations still run legacy web stacks such as XAMPP as “temporary” environments that remain in production for years. These servers frequently expose FTP services and administrative panels to the public internet without proper authentication, encryption or network segmentation, making them easy prey for automated botnet scanners.
Evolution of the Go-Based GoBruteforcer Malware
Palo Alto Networks Unit 42 first documented GoBruteforcer in March 2023, noting that the malware was already capable of targeting Unix-like platforms on x86, x64 and ARM architectures. Early variants deployed an IRC bot for command and control, a web shell for remote access and a brute-force module that scanned the internet for exposed services.
Later research by Black Lotus Labs (Lumen Technologies) in 2025 found that some hosts infected with the SystemBC malware were also part of the GoBruteforcer infrastructure, suggesting shared or reused criminal infrastructure across different threat groups.
By mid‑2025, Check Point observed a more advanced GoBruteforcer build featuring a heavily obfuscated IRC bot rewritten in a cross‑platform language, improved persistence, new process‑hiding techniques and dynamic credential lists that can be updated in real time as the campaign evolves.
Dynamic Password Dictionaries with a Focus on Crypto Targets
The defining feature of the latest GoBruteforcer variants is the use of updatable username and password dictionaries. These include combinations such as myuser:Abcd@123 or appeaser:admin123456, which appear frequently in tutorials, vendor documentation and code examples. As this material is also used to train large language models, AI tools often reproduce the same “demo” credentials in real-world projects.
Some accounts in the dictionaries are explicitly tailored to the crypto ecosystem — for example, cryptouser, appcrypto, crypto_app, crypto. Others target typical CMS and phpMyAdmin deployments, using usernames like root, wordpress, wpuser. Check Point notes that the botnet operators rely on a small but stable set of passwords, while varying usernames and adding niche options for specific environments.
For FTP brute force, GoBruteforcer uses a separate, hard‑coded credential list embedded in the binary. Its structure indicates a focus on common web‑hosting stacks and default service accounts that are often left unchanged after deployment.
Attack Chain: From Exposed FTP to TRON Blockchain Reconnaissance
In observed incidents, initial access is frequently achieved through a publicly accessible FTP service on XAMPP‑based servers. After guessing valid credentials, attackers upload a PHP web shell, execute it server‑side, and use it to download and run the latest version of the IRC bot. Separate shell scripts are deployed for each CPU architecture, ensuring cross‑platform reach.
The compromised host is then integrated into the GoBruteforcer botnet and can be used both for further external brute‑force attacks and for hosting auxiliary modules. In one case, analysts found a component that iterated through TRON blockchain addresses, querying balances via tronscanapi[.]com to identify wallets with non‑zero funds. This activity indicates targeted reconnaissance against blockchain projects and cryptocurrency wallets, not merely opportunistic server abuse.
How to Protect Linux and Crypto Infrastructure from GoBruteforcer
Harden Internet-Facing Services and Retire Legacy Stacks
Organizations should disable or strictly limit FTP access by migrating to SFTP/SSH, enforcing IP allowlists and using strong authentication. Legacy XAMPP installations should be removed, isolated or replaced with supported stacks. Public access to phpMyAdmin and similar panels must be closed, with access restricted via VPN, reverse proxies, strong authentication and multi-factor authentication (MFA).
Secure Credentials and Review AI-Generated Code
Use of example usernames and passwords from tutorials or AI-generated code should be prohibited. Each service must have unique, complex credentials managed through password managers or dedicated secret-management tooling. All code and configuration obtained from AI assistants or online guides should undergo mandatory security code review, with particular attention to embedded credentials and insecure defaults.
Segment and Monitor Cryptocurrency Infrastructure
Crypto-related systems should implement strict network segmentation between public nodes, internal APIs and databases. Access to high-value wallets must be minimized and protected with hardware security modules (HSMs), multisignature schemes and dedicated key management processes. Continuous monitoring for brute-force attempts, abnormal login patterns and suspicious outbound traffic is critical, alongside a tested incident response playbook for server and credential compromise.
GoBruteforcer illustrates how relatively simple Go-based malware can scale into a powerful botnet when combined with common configuration mistakes and the widespread reuse of insecure examples. Organizations, especially those operating in cryptocurrency and blockchain, should reassess their server configurations, DevOps practices and reliance on AI-generated templates to avoid becoming another node in an automated brute-force infrastructure.
