"GoBruteforcer, also called GoBrut, was first documented by Palo Alto Networks Unit 42 in March 2023, documenting its ability to target Unix-like platforms running x86, x64, and ARM architectures to deploy an Internet Relay Chat (IRC) bot and a web shell for remote access, along with fetching a brute-force module to scan for vulnerable systems and expand the botnet's reach."
""The current wave of campaigns is driven by two factors: the mass reuse of AI-generated server deployment examples that propagate common usernames and weak defaults, and the persistence of legacy web stacks such as XAMPP that expose FTP and admin interfaces with minimal hardening," Check Point Research said in an analysis published last week."
"Check Point said it identified a more sophisticated version of the Golang malware in mid-2025, packing in a heavily obfuscated IRC bot that's rewritten in the cross-platform programming language, improved persistence mechanisms, process-masking techniques, and dynamic credential lists. The list of credentials includes a combination of common usernames and passwords (e.g., myuser:Abcd@123 or appeaser:admin123456) that can accept remote logins."
A new wave of GoBruteforcer attacks targets cryptocurrency and blockchain project databases to co-opt Linux servers into a brute-force botnet. Campaign drivers include widespread reuse of AI-generated deployment examples embedding common usernames and weak defaults, and legacy web stacks like XAMPP exposing FTP and admin interfaces with minimal hardening. GoBruteforcer targets Unix-like x86, x64, and ARM platforms to deploy an IRC bot, web shell, and brute-force scanning module. A more sophisticated mid-2025 variant added heavy obfuscation, improved persistence, process-masking, and dynamic credential lists that include default and tutorial usernames often produced by LLM-trained code examples.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]