top of page
perceptive_background_267k.jpg

GoBruteforcer Botnet Targets Crypto Project Databases by Exploiting Weak Credentials

Published:

12 January 2026 at 10:48:00

Alert date:

12 January 2026 at 13:00:50

Source:

thehackernews.com

Click to open the original link from this advisory

Ransomware & Malware, Database & Storage, Web Technologies

A new wave of GoBruteforcer botnet attacks is targeting cryptocurrency and blockchain project databases. The botnet exploits weak credentials to compromise systems and recruit them for brute-force attacks against FTP, MySQL, PostgreSQL, and phpMyAdmin services on Linux servers. The current campaign is driven by mass reuse of AI-generated server deployment examples that contain common vulnerabilities. The attacks specifically focus on crypto projects to build a larger botnet infrastructure for credential brute-forcing operations.

Technical details

GoBruteforcer is a Golang-based malware that targets cryptocurrency and blockchain project databases through brute-force attacks on FTP, MySQL, PostgreSQL, and phpMyAdmin services on Linux servers. The malware uses internet-exposed FTP services on XAMPP servers as initial access vectors to upload PHP web shells, then downloads and executes IRC bots based on system architecture. It employs heavily obfuscated IRC bots, improved persistence mechanisms, process-masking techniques, and dynamic credential lists. The botnet serves three purposes: running brute-force components, hosting payloads, and acting as C2 infrastructure. One compromised host was found staging a module that queries TRON blockchain addresses for account balances using tronscanapi.com.

Mitigation steps:

Organizations should avoid using AI-generated server deployment examples with common usernames and weak defaults, implement proper hardening for legacy web stacks like XAMPP, secure FTP and admin interfaces, use strong credentials instead of common username/password combinations, monitor for brute-force attempts on database services, and regularly audit exposed infrastructure for misconfigurations.

Affected products:

FTP services
MySQL
PostgreSQL
phpMyAdmin
XAMPP
Linux servers
Unix-like platforms
TRON blockchain services

Related links:

https://research.checkpoint.com/2026/inside-gobruteforcer-ai-generated-server-defaults-weak-passwords-and-crypto-focused-campaigns/
https://thehackernews.com/2023/03/gobruteforcer-new-golang-based-malware.html
https://thehackernews.com/2025/09/systembc-powers-rem-proxy-with-1500.html
https://www.netspi.com/blog/technical-blog/network-pentesting/linux-hacking-case-studies-part-3-phpmyadmin/
https://www.greynoise.io/blog/threat-actors-actively-targeting-llms

Related CVE's:

Related threat actors:

IOC's:

tronscanapi.com, 45.88.186.70, 204.76.203.125

This article was created with the assistance of AI technology by Perceptive.

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page