Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label GoBruteforcer. Show all posts
Linux Servers
Botnet Brute Force Attacks Cyber Attacks GoBruteforcer Linux Servers

GoBruteforcer Botnet Targets Linux Servers with Brute-Force Attacks

 

A dangerous botnet called GoBruteforcer is ramping up brute-force attacks on internet-exposed Linux servers, focusing on services like FTP, MySQL, PostgreSQL, and phpMyAdmin. Check Point Research (CPR) warns that over 50,000 servers remain vulnerable due to weak credentials and poor configurations, turning them into new attack nodes after compromise. This surge exploits common defaults from tutorials and legacy stacks like XAMPP, amplifying risks for organizations worldwide.

The botnet, first spotted in 2023, evolved into a more sophisticated Go-written variant by mid-2025, featuring advanced obfuscation, persistence mechanisms, and process-hiding tricks like renaming to "init". Infected servers scan random IPs and test credential lists with usernames such as "admin," "appuser," or crypto-themed ones like "cryptouser," rotating campaigns weekly for efficiency. Low success rates still pay off given millions of exposed databases and FTP ports.

Financial motives drive some operations, with attackers deploying Go tools to scan TRON balances and sweep tokens from Binance Smart Chain on compromised hosts. CPR found 23,000 TRON addresses on one server, and on-chain data confirmed small thefts, highlighting resale potential for stolen access or data. Targeted attacks hit WordPress-linked phpMyAdmin panels and blockchain databases.

CPR links this threat to AI-generated deployment guides that propagate insecure defaults, predicting worse risks as server setups become easier. Legacy web environments and credential reuse from leaked databases fuel the botnet's spread, with C2 servers distributing modular components like IRC bots and bruteforcers.

Mitigation demands strong passwords, MFA, service lockdowns, and exposure monitoring beyond takedowns. Disabling unnecessary ports and auditing configs counters brute-force economics, while tools block known IOCs like C2 domains (e.g., fi.warmachine.su) and SHA-256 hashes for IRC bots. Proactive hygiene remains key against persistent threats like GoBruteforce.
Read more »
Web Server
Cyberattacks Cybersecurity GoBruteforcer Technology Web Server

GOBruteforcer: an Active Web Server Harvester

 


Known as Golang, the Go programming language is relatively new. It is one of the most popular malware programmers interested in creating malware. Capable of developing all kinds of malware, such as ransomware, stealers, or remote access Trojans (RATs), it has proven to be a versatile platform that can deal with all kinds of malware. Golang-based botnets appear particularly attractive to attackers to gain access to their networks. 

The GoBruteforcer botnet malware is the latest version of a type of malware written in Golang and targeting web servers. This is specifically for those running PHPMyAdmin, MySQL, FTP, and Postgres database software. 

How GoBruteforcer Works?

Palo Alto Network's GoBruteforcer is compatible with more than one processor architecture, such as x86, x64, and ARM architectures. 

During the actual execution of the malicious code, some special conditions need to be met, such as the use of specific arguments during the execution process. Additionally, it relies on the installation of targeted services with weak passwords, which are already installed on the system. Whenever these conditions are met, it executes only if it satisfies all of the requirements. 

  • With the help of weak passwords, this malware aspires to gain access to vulnerable Unix-like platforms (commonly known as UNIX). 
  • To begin the attack, a scan is conducted for possible targets that have MySQL, Postgres, FTP, or PHPMyAdmin running on their servers. 
Expansion of Networks 

The software's source code has been updated to include a multi-scan module that can scan and find a much greater set of potential targets than before.
  • A Classless Inter-Domain Routing (CIDR) block was used by GoBruteforcer at the time of the attack to scan the network for vulnerabilities. A CIDR is a format of IP address ranges contained in a single network containing multiple IP addresses. A single IP address does not provide a huge range of targets for infiltration, unlike a range of IP addresses that are used for intrusion.
  • The application detects a host by scanning the network for any ports that have become open over time belonging to the aforementioned services when it finds the host. A brute-force attack is used to attempt to gain access to that machine. 
Aspects of the Postinfection Period

  • When GoBruteforcer is successful in detecting the intrusion, it deploys an IRC bot that collects the URL of the attacker for further use. 
  • Then it communicates with the C2 server and waits for the attacker to send it any further directives. 
  • A cron job is used to store the registration information for the IRC bot, which is used as a means of persistence. 
Using GoBruteforcer's multiscan feature, operators can use the tool to scan a wide range of devices across different networks all at once. 

As long as default passwords are changed and a strong password policy is implemented including two-factor authentication, you can significantly reduce the risks of attacks caused by brute force method.

Threat actors have always been attracted to targeting web servers due to their lucrative nature. An organization's web servers are an integral part of its operations, so allowing weak passwords to be used could lead to serious security threats. Weak (or default) passwords are more likely to be exploited by malware including GoBruteforcer. 

The GoBruteforcer bot has the capability of scanning multiple targets at once, allowing it to get into a wide range of networks, and this is what helps it to be able to do the job. Furthermore, GoBruteforcer seems to be actively being developed. Therefore, attackers are likely to change their strategies soon if they hope to target web servers with this tool.
Read more »
Subscribe to: Comments (Atom)