Inside GoBruteforcer: AI-Generated Server Defaults, Weak Passwords, and Crypto-Focused Campaigns

GoBruteforcer is a modular, Go-based botnet that compromises Linux servers by brute-forcing weak/default credentials on internet-exposed services (FTP, MySQL, PostgreSQL, phpMyAdmin), often gaining initial access via web shells on poorly hardened stacks like XAMPP. The 2025 variant adds an obfuscated Go IRC bot with process-masking and improved persistence, a high-concurrency bruteforcer that pulls credential lists from C2, and specialized tooling for crypto-related targets; Check Point recovered token-sweep utilities, a ~23k TRON address list, active C2 IPs and sample hashes, and estimates tens of thousands of vulnerable instances—recommendations include credential hygiene, removing legacy stacks, and blocking/remediating the listed IOCs.