Executive Summary

The GoBruteforcer botnet represents a significant and rapidly evolving threat to the cryptocurrency sector, specifically targeting databases and infrastructure of crypto projects by exploiting weak or default credentials. This Golang-based malware leverages automated brute-force techniques to compromise Linux servers running exposed services such as FTP, MySQL, PostgreSQL, and phpMyAdmin. Once a server is compromised, it is assimilated into a distributed botnet, which is then used to propagate further attacks, distribute malicious payloads, and act as a command-and-control (C2) node. The campaign is distinguished by its focus on crypto-related assets, its exploitation of AI-generated and legacy deployment defaults, and its ability to iterate through blockchain addresses to identify and potentially exfiltrate digital assets. The scale and automation of this campaign, combined with the prevalence of weak credentials in crypto infrastructure, make it a critical risk for organizations in the blockchain and digital asset space.

Threat Actor Profile

The operators behind GoBruteforcer are financially motivated cybercriminals with a demonstrated focus on the cryptocurrency ecosystem. While there is no direct attribution to a known Advanced Persistent Threat (APT) group, infrastructure overlap has been observed with the SystemBC malware family, suggesting a shared or rented criminal ecosystem. The threat actors exhibit a high degree of operational agility, regularly updating credential lists and targeting methodologies to maximize infection rates. Their campaigns are characterized by opportunistic targeting, rapid lateral movement, and the use of compromised hosts for both attack propagation and C2 redundancy. The actors have demonstrated a sophisticated understanding of crypto project infrastructure, including the use of blockchain APIs such as tronscanapi[.]com to identify lucrative targets.

Technical Analysis of Malware/TTPs

GoBruteforcer is written in Golang, enabling cross-platform deployment and efficient obfuscation. The malware is typically delivered via a PHP web shell uploaded to internet-exposed FTP services, often on legacy stacks like XAMPP. Upon execution, the web shell downloads an architecture-specific IRC bot binary, which establishes persistence and initiates brute-force attacks against a range of services, including FTP, MySQL, PostgreSQL, and phpMyAdmin. The brute-force module utilizes a dynamic, campaign-specific list of usernames and passwords, many of which are derived from AI-generated server deployment scripts and widely circulated tutorials. Common usernames include cryptouser, appcrypto, crypto_app, crypto, root, wordpress, wpuser, myuser, and appeaser, while passwords such as Abcd@123 and admin123456 are frequently observed.

Once a host is compromised, GoBruteforcer establishes persistence through event-triggered execution mechanisms and registers with an IRC-based C2 infrastructure. The infected host is then used to launch further brute-force attacks, host additional malware payloads, and serve as a backup C2 node. Notably, the malware includes modules that iterate through TRON blockchain addresses, querying balances via tronscanapi[.]com to identify accounts with non-zero funds, indicating a direct monetization focus.

The campaign leverages automation and AI-influenced deployment defaults, exploiting the widespread use of weak credentials in both legacy and modern server environments. The malware is heavily obfuscated, with embedded credential lists and adaptive attack logic that refreshes weekly to evade detection and maximize effectiveness.

Exploitation in the Wild

Recent campaigns have resulted in the compromise of over 50,000 Linux servers globally, with a pronounced focus on crypto and blockchain infrastructure. The attack surface is expanded by the prevalence of internet-exposed services with weak or default credentials, particularly in environments where rapid deployment and minimal hardening are prioritized. Observed indicators of compromise (IOCs) include IP addresses such as 45.88.186[.]70 and 204.76.203[.]125, which are used for large-scale scanning and C2 communication, as well as the domain tronscanapi[.]com for blockchain balance checks. The malware binaries are Golang-based, heavily obfuscated, and tailored to the target system architecture.

The exploitation chain typically begins with the identification of exposed services, followed by brute-force authentication attempts using the dynamic credential list. Successful authentication leads to the upload of a PHP web shell, which then downloads and executes the IRC bot payload. The infected host is assimilated into the botnet, contributing to further attacks and serving as a node in the distributed C2 infrastructure. The campaign's automation and scale have enabled rapid propagation and significant impact across the crypto sector.

Victimology and Targeting

The primary victims of the GoBruteforcer campaign are organizations and projects within the cryptocurrency and blockchain ecosystem. This includes exchanges, DeFi platforms, wallet providers, and blockchain infrastructure operators. The targeting is opportunistic but highly effective, leveraging the widespread use of weak or default credentials in both legacy and modern deployments. The campaign is not limited to a specific geographic region, with compromised hosts reported globally. The focus on crypto-related usernames and the use of blockchain APIs for balance checks indicate a deliberate strategy to identify and exploit high-value targets within the digital asset space.

The affected products are Linux servers running FTP, MySQL, PostgreSQL, and phpMyAdmin services, particularly those deployed with minimal hardening or using AI-generated deployment scripts. Legacy web stacks such as XAMPP are especially vulnerable due to their default configurations and lack of robust access controls. Any internet-exposed instance of these services with weak or default credentials is at risk, regardless of version or distribution.

Mitigation and Countermeasures

To mitigate the risk posed by GoBruteforcer, organizations should immediately audit and change all default and weak credentials on internet-exposed services, including FTP, MySQL, PostgreSQL, and phpMyAdmin. It is critical to harden legacy web stacks such as XAMPP by restricting access to administrative interfaces, disabling unused services, and implementing robust authentication mechanisms. Continuous monitoring for connections to known C2 infrastructure, such as the IPs 45.88.186[.]70 and 204.76.203[.]125 and the domain tronscanapi[.]com, is essential for early detection of compromise.

Server logs should be regularly reviewed for evidence of brute-force attempts using the observed usernames and passwords. Compromised hosts must be isolated and reimaged, with all credentials rotated to prevent re-infection. Organizations should implement network segmentation to limit lateral movement and deploy intrusion detection and prevention systems to identify and block malicious activity. Regular security awareness training and the use of password managers can further reduce the risk of credential-based attacks.

References

The following sources provide additional technical details and context on the GoBruteforcer campaign:

The Hacker News: GoBruteforcer Botnet Targets Crypto Project Databases by Exploiting Weak Credentials https://thehackernews.com/2026/01/gobruteforcer-botnet-targets-crypto.html

Check Point Research: Inside GoBruteforcer https://research.checkpoint.com/2026/inside-gobruteforcer-ai-generated-server-defaults-weak-passwords-and-crypto-focused-campaigns/

Dark Reading: GoBruteforcer Botnet Targets 50K-plus Linux Servers https://www.darkreading.com/threat-intelligence/gobruteforcer-botnet-targets-50k-plus-linux-servers

HivePro Threat Advisory https://hivepro.com/threat-advisory/gobruteforcer-exposed-how-weak-credentials-power-a-silent-linux-botnet/

Palo Alto Networks Unit 42: GoBruteforcer https://unit42.paloaltonetworks.com/gobruteforcer/

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their digital supply chain. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify vulnerabilities, respond to emerging threats, and ensure the resilience of critical infrastructure. For more information about our solutions or to discuss your cybersecurity needs, we are happy to answer questions at ops@rescana.com.