GoBruteforcer

GoBruteforcer, also known as GoBrut, is a Golang-based modular botnet malware family targeting primarily Linux and other Unix-like servers. It brute-forces credentials against Internet-exposed FTP, MySQL, PostgreSQL, and phpMyAdmin services, and has been described as targeting web servers and databases, including infrastructure associated with cryptocurrency and blockchain projects. Palo Alto Networks Unit 42 first documented the malware in 2023, and Check Point Research reported a more sophisticated 2025 variant with significant upgrades.

The malware operates as a botnet composed of at least an IRC bot for command-and-control and a bruteforcer/scanner module. Observed infection chains include initial access through weak or default credentials, especially on exposed XAMPP FTP services, followed by upload of a PHP web shell into the webroot, deployment of a downloader, and retrieval of architecture-specific payloads. Unit 42 reported binaries for x86, x64, and ARM Unix-like platforms. The IRC bot provides remote control and persistence, including cron-based execution, while the bruteforcer scans public IP space and attempts logins against targeted services. Successful compromises can be reported back to C2, and compromised hosts can be reused as scanner bots, payload hosts, or backup C2/IRC relay nodes.

Capabilities directly described in the reporting include CIDR and random public IP scanning, service-specific probing of ports such as 21, 80, 3306, and 5432, brute-force authentication using hardcoded or C2-delivered credential lists, cron persistence, process masking via prctl PR_SET_NAME, and command-line masking to resemble benign processes such as init. The 2025 variant reportedly rewrote the IRC bot from C to heavily obfuscated Go, added improved persistence, dynamic credential delivery, and resilient fallback behavior. The malware also avoids or deprioritizes certain targets during scanning, including private networks, AWS ranges, and multiple U.S. Department of Defense-associated /8 ranges.

Campaign reporting indicates financially motivated activity rather than direct attribution to a known APT group. Multiple sources state the botnet has targeted crypto and blockchain environments; on compromised hosts, researchers found TRON balance-scanning and TRON/BSC token-sweeping utilities, along with a file containing about 23,000 TRON addresses. Some reporting also notes infrastructure overlap with the SystemBC ecosystem, but no direct attribution to a named threat actor is established in the content.

The malware relies primarily on weak/default credentials rather than exploitation of a specific software vulnerability. Reporting repeatedly highlights exposed XAMPP deployments, phpMyAdmin panels, MySQL, PostgreSQL, and FTP services as common entry points. Check Point estimated that more than 50,000 Internet-facing servers may be vulnerable or affected in recent waves.

High-confidence indicators and artifacts mentioned in the content include the PHP web shell SHA256 de7994277a81cf48f575f7245ec782c82452bb928a55c7fae11c2702cc308b8b; an unpacked GoBruteforcer sample SHA256 ebe11121aafdac5d8f2eecba710ba85efa31617a5eb825ba2e89e23379b26b84; an older sample SHA256 acc705210814ff5156957c028a8d6544deaca0555156504087fdc61f015d6834; observed IRC/C2 endpoints 190.14.37[.]10:8080, 93.113.25[.]114:8080, and xyz.yuzgebhmwu[.]ru:8080; a bruteforcer polling URL example http://190.14.37[.]10/new.php; reporting of successful-hit callbacks to /pst endpoints; and additional IPs 45.88.186[.]70 and 204.76.203[.]125 associated in reporting with large-scale scanning and C2-related activity.