New GoBruteforcer attacks have targeted cryptocurrency and blockchain project databases worldwide since mid-2025, co-opting Linux servers into a botnet that brute forces FTP, MySQL, PostgreSQL and phpMyAdmin credentials, a technical analysis by Check Point Research said.
KEY FACTS
- Incident GoBruteforcer recruits Linux servers to run credential brute force tools
- Targets Cryptocurrency and blockchain project databases and admin interfaces
- Initial access Exposed FTP on XAMPP and PHP web shells used to deploy malware
- Timeline More sophisticated variant observed from mid-2025 with campaigns into January 2026
The report identified a rewritten Golang IRC bot that is heavily obfuscated and includes improved persistence, process masking and dynamic credential lists.
Observed campaigns used internet exposed FTP services on XAMPP to upload a PHP web shell, which then downloaded and executed architecture specific binaries and a brute force module.
Compromised hosts can run brute force scans for FTP, MySQL, Postgres and phpMyAdmin, host payloads for other compromised systems and act as IRC style control endpoints or backup command and control.
Password lists mix common tutorial defaults and cryptocurrency focused usernames, a pattern the report links to reuse in AI generated deployment examples. The malware also contains a small hard coded FTP credential set targeting web hosting stacks.
One compromised host was used to stage a module that iterated TRON addresses via a public API to find accounts with non zero balances, which points to an effort to focus on blockchain projects. The report did not disclose the full scale of infections.
WHY IT MATTERS
Exposed infrastructure and reused defaults enable automated botnets to spread and to seek crypto funds. Organizations should harden deployments remove default credentials and restrict internet facing admin services.