top of page
perceptive_background_267k.jpg

New GoBruteforcer attack wave targets crypto, blockchain projects

Published:

7 January 2026 at 23:18:14

Alert date:

8 January 2026 at 00:01:52

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Ransomware & Malware, Database & Storage, Web Technologies, Network Infrastructure

A new wave of GoBruteforcer botnet malware attacks is actively targeting databases of cryptocurrency and blockchain projects on exposed servers. The attacks appear to be targeting servers that were configured using AI-generated examples, suggesting a systematic campaign against crypto infrastructure. This represents an active threat to the cryptocurrency and blockchain ecosystem with potential for significant financial impact.

Technical details

GoBruteforcer (GoBrut) is a Golang-based botnet targeting exposed FTP, MySQL, PostgreSQL, and phpMyAdmin services. It uses compromised Linux servers to scan random public IPs and perform brute-force login attacks. The malware launches up to 95 brute-forcing threads on x86_64 architectures after a 10-400 second delay, skipping private networks, AWS cloud ranges, and U.S. government networks. Initial compromise often occurs through XAMPP FTP servers with weak default passwords. The infection chain involves uploading web shells, downloading IRC bots, and bruteforcer modules. The FTP module uses 22 hardcoded username-password pairs targeting default accounts in web-hosting stacks. Recent campaigns leverage AI-generated configuration snippets with predictable usernames like 'appuser', 'myuser', and 'operator'. One campaign included TRON wallet-scanning tools targeting approximately 23,000 TRON addresses to identify and drain wallets with non-zero balances.

Mitigation steps:

Avoid using AI-generated deployment guides and rely on non-default usernames with strong, unique passwords. Check FTP, phpMyAdmin, MySQL, and PostgreSQL for exposed services. Replace outdated software stacks like XAMPP with more secure alternatives. Implement proper security configuration for XAMPP installations. Monitor for suspicious brute-force login attempts across database services.

Affected products:

XAMPP
FTP servers
MySQL
PostgreSQL
phpMyAdmin
TRON wallets
Binance Smart Chain (BSC)
Docker
DevOps platforms

Related links:

https://research.checkpoint.com/2026/inside-gobruteforcer-ai-generated-server-defaults-weak-passwords-and-crypto-focused-campaigns/

Related CVE's:

Related threat actors:

IOC's:

Hardcoded username-password pairs: daemon, nobody, appuser, myuser, operator, File containing approximately 23,000 TRON addresses, Web shells uploaded to webroot directories, IRC bot components, Bruteforcer modules with 10-400 second delays, Up to 95 concurrent brute-forcing threads

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page