GoBruteforcer Botnet brute-forces Passwords for FTP, MySQL, and phpMyAdmin on Linux Servers

A sophisticated Go-based botnet dubbed GoBruteforcer is aggressively targeting Linux servers worldwide, brute-forcing weak passwords on internet-exposed services including FTP, MySQL, PostgreSQL, and phpMyAdmin.

Check Point Research recently documented a new 2025 variant of the malware that demonstrates significant technical improvements over previous versions and has successfully compromised tens of thousands of servers.​

The botnet operates through a modular infection chain consisting of web shells, downloaders, IRC bots, and bruteforcer components.

According to Check Point’s analysis, more than 50,000 internet-facing servers may be vulnerable to GoBruteforcer attacks, with approximately 5.7 million FTP servers, 2.23 million MySQL servers, and 560,000 PostgreSQL servers currently exposed on their default ports.

GoBruteforcer Reuse of AI-generated Server

The current wave of GoBruteforcer campaigns is driven by two critical factors: the mass reuse of AI-generated server deployment examples that propagate common usernames and weak defaults, and the persistence of legacy web stacks such as XAMPP that expose services with minimal hardening.

Researchers observed that the botnet uses common operational usernames like “appuser” and “myuser” in brute-force credential lists, the same default names frequently suggested by large language models when administrators request database configuration examples.​

Check Point’s investigation revealed that GoBruteforcer credential lists overlap with approximately 2.44% of a database containing 10 million leaked passwords.

While this success rate appears low, the enormous number of exposed services makes brute-force attacks economically attractive for threat actors. Google’s 2024 Cloud Threat Horizons report found that weak or missing credentials accounted for 47.2% of initial access vectors in compromised cloud environments, supporting the viability of this attack method.

The botnet’s C2 server transmits lists of 200 credentials for brute-force tasks, with campaign profiles rotated several times per week.

Password lists are generated from a relatively small database of 375-600 commonly used weak passwords, supplemented with username-flavored variants such as “appuser1234” or “operatoroperator”.

The 2025 variant introduces several significant improvements over earlier versions, first documented in 2023. The IRC bot component has been completely rewritten in Go and heavily obfuscated with Garbler, replacing the previous C-based implementation.

The malware now employs process-masking techniques by calling prctl to change the process name to “init” and overwriting argv buffers to hide command-line arguments from monitoring tools.

Researchers discovered a cryptocurrency-focused campaign where threat actors deployed additional Go-based tools on compromised hosts, including a TRON balance scanner and token-sweep utilities for TRON and Binance Smart Chain.

On one compromised server, investigators recovered a file containing approximately 23,000 TRON addresses and confirmed through on-chain transaction analysis that financially motivated attacks had succeeded.​

The botnet maintains resilience through multiple mechanisms: hardcoded fallback C2 addresses, domain-based recovery paths, and the ability to promote infected hosts to serve as distribution nodes or IRC relays.

IRC bot modules can be updated twice daily, with bruteforcer components downloaded via architecture-specific shell scripts that verify MD5 checksums before execution.

GoBruteforcer campaigns demonstrate both broad spray attacks and sector-focused operations. Generic campaigns use common operational usernames combined with standard weak passwords, while specialized runs employ crypto-themed usernames like “cryptouser” and “appcrypto” or WordPress-specific credentials such as “wpuser”.

The malware also specifically targets XAMPP installations, a popular development stack that often ships with default FTP credentials and maps FTP root directories to web-accessible paths.

The botnet’s architecture enables infected hosts to scan approximately 20 IP addresses per second while maintaining low bandwidth consumption roughly 64 kb/s outbound and 32 kb/s inbound during FTP campaigns.

Worker pools are sized based on CPU architecture: 64-bit systems run 95 concurrent brute-force threads, while 32-bit systems run fewer workers.

The malware intelligently filters target selection, excluding private networks, cloud provider spaces, and U.S. Department of Defense IP ranges to avoid detection.

Organizations can mitigate GoBruteforcer risks by implementing strong password policies, disabling unnecessary internet-facing services, enforcing multi-factor authentication, and monitoring for suspicious login attempts.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.