A dangerous botnet called GoBruteforcer is ramping up brute-force attacks on internet-exposed Linux servers, focusing on services like FTP, MySQL, PostgreSQL, and phpMyAdmin. Check Point Research (CPR) warns that over 50,000 servers remain vulnerable due to weak credentials and poor configurations, turning them into new attack nodes after compromise. This surge exploits common defaults from tutorials and legacy stacks like XAMPP, amplifying risks for organizations worldwide.
The botnet, first spotted in 2023, evolved into a more sophisticated Go-written variant by mid-2025, featuring advanced obfuscation, persistence mechanisms, and process-hiding tricks like renaming to “init”. Infected servers scan random IPs and test credential lists with usernames such as “admin,” “appuser,” or crypto-themed ones like “cryptouser,” rotating campaigns weekly for efficiency. Low success rates still pay off given millions of exposed databases and FTP ports.
Financial motives drive some operations, with attackers deploying Go tools to scan TRON balances and sweep tokens from Binance Smart Chain on compromised hosts. CPR found 23,000 TRON addresses on one server, and on-chain data confirmed small thefts, highlighting resale potential for stolen access or data. Targeted attacks hit Wo
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: