A new surge of GoBruteforcer attacks is actively targeting databases used by cryptocurrency and blockchain projects, converting compromised servers into a botnet capable of brute-forcing passwords for services such as FTP, MySQL, PostgreSQL, and phpMyAdmin on Linux systems. Check Point Research reported that the campaign is fueled by the widespread reuse of AI-generated server deployment examples, which propagate predictable usernames and weak default credentials, as well as the continued presence of legacy web stacks like XAMPP that expose administrative interfaces with minimal security hardening. This combination creates accessible entry points for attackers, allowing them to compromise systems without exploiting advanced vulnerabilities.
Originally documented by Palo Alto Networks Unit 42 in March 2023, GoBruteforcer, also known as GoBrut, has the ability to target Unix-like platforms across x86, x64, and ARM architectures, deploying an IRC bot and web shell for remote access while fetching a brute-force module to scan and expand the botnet. In September 2025, Black Lotus Labs found that some bots under the control of the SystemBC malware family were also part of the GoBruteforcer network. A more sophisticated variant identified in mid-2025 included a heavily obfuscated IRC bot rewritten in Golang, enhanced persistence mechanisms, process-masking techniques, and dynamic credential lists. The credentials often include common usernames and passwords found in tutorials or vendor documentation, many of which have been propagated by large language models producing repetitive code snippets. The attacker list also includes crypto-focused names and default phpMyAdmin users, rotated regularly to maximize reach.
Compromised servers are typically accessed via exposed FTP services on XAMPP instances, allowing attackers to upload a PHP web shell and subsequently download and execute an updated IRC bot based on system architecture. Once infected, these hosts can perform multiple roles, including running brute-force attacks against remote services, hosting payloads for further infections, or acting as IRC-style control endpoints for resilience. Some compromised servers have also been observed staging modules that iterate through TRON blockchain addresses, querying balances via tronscanapi.com to identify accounts with non-zero funds, highlighting the focus on blockchain-related assets.
Further analysis from GreyNoise indicates systematic scanning of misconfigured proxy servers that could provide access to commercial LLM services. Two distinct campaigns have been observed. One leveraged server-side request forgery vulnerabilities to target Ollama model pull functionality and Twilio SMS webhook integrations between October 2025 and January 2026, likely originating from security researchers or bug bounty activities. The second campaign, beginning December 28, 2025, performed high-volume enumeration to identify exposed endpoints for LLM services operated by Alibaba, Anthropic, DeepSeek, Google, Meta, Mistral, OpenAI, and xAI. Within eleven days, the two IPs involved conducted over 80,000 sessions, highlighting the scale and persistence of reconnaissance efforts against misconfigured LLM infrastructure.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
