A new wave of GoBruteforcer botnet malware attacks is targeting databases of cryptocurrency and blockchain projects on exposed servers believed to be configured using AI-generated examples.

GoBrutforcer is also known as GoBrut. It is a Golang-based botnet that typically targets exposed FTP, MySQL, PostgreSQL, and phpMyAdmin services.

The malware often relies on compromised Linux servers to scan random public IPs and carry out brute-force login attacks.

Preying on weak defenses

Check Point researchers estimate that there are more than 50,000 internet-facing servers that may be vulnerable to the GoBrut attacks.

They say that initial compromise is often obtained through the FTP servers on servers running XAMPP because many times the configuration has a weak default password, unless the administrator goes through the security configuration.

"When attackers obtain access to XAMPP FTP using a standard account (commonly daemon or nobody) and a weak default password, the typical next step is to upload a web shell into the webroot," Check Point

The attacker may upload the web shell through other means, such as a misconfigured MySQL server or phpMyAdmin panel. The infection chain continues with a downloader, fetching an IRC bot, and the bruteforcer module.

The malware activity starts after a 10-400-second delay, launching up to 95 brute-forcing threads on x86_64 architectures, scanning random public IP ranges, while skipping private networks, AWS cloud ranges, and U.S. government networks.

Each worker generates a single random public IPv4 address, probes the relevant service port, goes through the supplied credential list, and then exits. New workers are spawned continuously to maintain the set concurrency level.

The FTP module relies on a hardcoded list of 22 username-password pairs embedded directly in the binary. These credentials map closely to default or commonly deployed accounts in web-hosting stacks such as XAMPP.

Check Point says that in recent campaigns, GoBruteforcer activity is fueled by the reuse of common server configuration snippets generated by large language models (LLMs), which leads to a proliferation of weak, predictable default usernames, such as appuser, myuser, and operator.

These usernames frequently appear in AI-generated Docker and DevOps instructions, leading the researchers to believe that the configurations were added to real-world systems, thus making them vulnerable to password-spraying attacks.

The second trend fueling the botnet’s recent campaign is outdated server stacks like XAMPP that continue to ship with default credentials and open FTP services. These deployments expose vulnerable webroot directories, enabling attackers to drop web shells.

Check Point's report highlights a campaign where a compromised host was infected with TRON wallet-scanning tools that perform sweeps across TRON and Binance Smart Chain (BSC). The attackers used a file containing approximately 23,000 TRON addresses, targeting them with automated utilities to identify and drain wallets with non-zero balances.

Admins defending against GoBruteforcer should avoid using AI-generated deployment guides and rely on non-default usernames with strong, unique passwords.

It is also recommended to check FTP, phpMyAdmin, MySQL, and PostgreSQL for exposed services, and replace outdated software stacks like XAMPP with more secure alternatives.