GoBruteforcer, also known as GoBrut has become one of the largest dangers to crypto and blockchain projects databases. Palo Alto Networks Unit 42 was the first to report on this botnet back in March 2023. It uses trivial/weak credentials to gain access to Unix-like operating systems powered by x86, x64 and ARM architectures. Some of its more advanced techniques include using an Internet Relay Chat (IRC) bot in combination with a web shell as a backdoor to allow remote access.
Each time the botnet downloads a new brute-force module that searches for more vulnerable systems, extending its reach. GoBruteforcer employs this list of common usernames and passwords combinations to wreak havoc on attacks. This tactic enables it to break into a wide range of services. Password combinations such as “myuser:Abcd@123” and “appeaser:admin123456” exemplify the simplistic approach it employs.
Evolution of GoBruteforcer
An improved version of GoBruteforcer was documented by Check Point in June 2025. This new spammer edition includes a super obscured IRC bot. Rewritten in a cross-platform programming language, it has increased its stealth and effectiveness. Furthermore, the new version features better persistence mechanisms and process-masking techniques.
Point’s analysis, the latest version of the botnet uses dynamic credential lists employed. Attackers can afford to reuse a small, stable password pool for each campaign. They update lists with defined purpose projects for each area drawn from that pool. The attackers swap out usernames and specialized additions on niche market attackers multiple times a week in order to target multiple audiences.
“The attackers reuse a small, stable password pool for each campaign, refresh per-task lists from that pool, and rotate usernames and niche additions several times a week to pursue different targets.” – Check Point
Targeting Vulnerable Systems
GoBruteforcer has been one of the most successful reconnaissance operations! In the span of only eleven days, it resulted in 80,469 sessions while actively searching for misconfigured proxy servers. On December 28, 2025 it initiated a systemic investigation into more than 73 large language model (LLM) endpoints. This move demonstrated its unending search for exploitable structures.
As such, the botnet has focused on high-profile databases connected to cryptocurrency projects. It plans to fold these resources into its expanding botnet model. It’s able to brute-force user passwords for many different services, such as FTP, MySQL, PostgreSQL, and phpMyAdmin on Linux servers.
“Starting December 28, 2025, two IPs launched a methodical probe of 73+ LLM model endpoints.” – the threat intelligence firm
Underlying Issues and Implications
The emergence of GoBruteforcer is a perfect example to highlight what’s going wrong in cybersecurity as a whole. The ongoing attack on exposed infrastructure and low hanging credentials due to poor security hygiene provide a pipeline for these kinds of attacks. The current wave of campaigns is driven by two main factors: the mass reuse of AI-generated server deployment examples that propagate common usernames and weak defaults, and the persistence of legacy web stacks like XAMPP, which expose FTP and admin interfaces with minimal hardening.
“GoBruteforcer exemplifies a broader and persistent problem: The combination of exposed infrastructure, weak credentials, and increasingly automated tools.” – Check Point