A botnet known as GoBruteforcer has been actively targeting Linux servers exposed to the internet, using large-scale brute-force attacks against common services such as FTP, MySQL, PostgreSQL and phpMyAdmin.
In a new advisory published on Wednesday, Check Point Research (CPR) estimated that more than 50,000 publicly accessible servers could be vulnerable due to weak credentials and misconfigured software.
GoBruteforcer turns compromised machines into scanning and attack nodes. Once infected, these servers are used to probe random IP ranges and attempt logins with common usernames and passwords. Successful compromises can lead to data theft, creation of backdoors, resale of access or further spread of the botnet.
The malware was first publicly documented in 2023, but researchers began observing a more capable variant in mid-2025. The newer version is entirely written in Go and introduces heavier obfuscation, stronger persistence and techniques designed to disguise malicious processes on infected hosts.
Attack Scale and Targeting
The current wave of activity is being driven by two converging trends: the mass reuse of standard deployment examples that rely on predictable usernames and weak defaults, and the continued use of legacy web stacks, such as XAMPP, which often expose FTP services and admin panels with minimal security hardening.
Read more on Linux server security: Critical Linux Flaws Discovered Allowing Root Access Exploits
CPR researchers noted that the attackers do not rely on zero-day exploits. Instead, they repeatedly test simple credentials like admin, password or common operational usernames that have circulated for years in documentation and tutorials.
Millions of databases and FTP servers remain reachable on default ports, creating a broad attack surface. Even with a low success rate, the sheer number of exposed systems makes brute-force attacks economically attractive.
GoBruteforcer campaigns rotate several times a week and vary in focus. Some runs spray common usernames across random IP addresses, while others are more targeted. Observed attacks have included crypto-themed usernames aimed at blockchain-related databases, as well as phpMyAdmin panels commonly associated with WordPress sites.
Financial Motives and Crypto Activity
On one compromised server, analysts recovered Go-based tools designed to scan TRON balances and sweep tokens on TRON and Binance Smart Chain. A file containing around 23,000 TRON addresses was also found alongside the botnet components.
On-chain analysis of attacker-controlled wallets indicated that at least some of these financially motivated attacks were successful, although most affected addresses appeared to hold only small residual balances.
Still, the findings highlight a persistent security problem. Exposed services, weak credentials and default configurations continue to provide attackers with reliable access.
“As generative AI further lowers the barrier to server deployment, the risk of insecure defaults will likely increase,” CPR explained.
“Addressing this class of threats requires not only detection and takedown efforts, but also renewed attention to secure configuration practices, credential hygiene and continuous exposure management.”
