A new wave of GoBruteforcer attacks targeted databases of cryptocurrency and blockchain projects to co-opt them into a botnet capable of brute-forcing user passwords for services such as FTP, MySQL, PostgreSQL, and phpMyAdmin on Linux servers. This campaign is driven by two factors: the mass reuse of AI-generated server deployment examples that propagate common usernames and weak defaults, and the persistence of legacy web stacks such as XAMPP that expose FTP and admin interfaces with minimal hardening. GoBruteforcer, also known as GoBrut, targets Unix-like platforms running x86, x64, and ARM to deploy an IRC bot and web shell for remote access, while fetching a brute-force module to scan for vulnerable systems and expand the botnet. A more sophisticated GoBruteforcer variant observed mid-2025 includes a heavily obfuscated IRC bot, enhanced persistence, process-masking, and dynamic credential lists.
The credential list comprises common usernames and passwords such as myuser:Abcd@123 and appeaser:admin123456 that can accept remote logins. Some usernames are cryptocurrency-focused, including cryptouser, appcrypto, crypto_app, and crypto, or target phpMyAdmin panels such as root, wordpress, and wpuser. Attackers reuse a small, stable password pool for each campaign, refresh per-task lists from that pool, and rotate usernames and niche additions several times a week to pursue different targets. FTP brute-force relies on a small, hardcoded set of credentials embedded in the bruteforcer binary, pointing to web-hosting stacks and default service accounts.
In observed activity, an internet-exposed FTP service on servers running XAMPP served as the initial access vector to upload a PHP web shell, which was used to download and execute an updated version of the IRC bot. Once infected, the botnet can run the brute-force component to attempt password logins for FTP, MySQL, Postgres, and phpMyAdmin across the internet, host payloads to other compromised systems, or host IRC-style control endpoints or act as a backup C2 for resilience. One compromised host was used to stage a module that iterates through a list of TRON blockchain addresses and queries balances to identify accounts with non-zero funds. GoBruteforcer exemplifies a broader problem: the combination of exposed infrastructure, weak credentials, and increasingly automated tools enable attackers to exploit a vast attack surface.
Leave a Reply