A Go-based botnet known as GoBruteforcer is scanning and compromising Linux servers globally by brute-forcing weak passwords on exposed services like FTP, MySQL, and PostgreSQL. Check Point Research has identified a 2025 variant that has infected tens of thousands of machines, putting over 50,000 internet-facing servers at risk. The attacks exploit common defaults from AI-generated configurations and legacy setups.
The GoBruteforcer botnet, first documented in 2023, has evolved significantly in its 2025 version, as detailed by Check Point Research. This malware uses a modular structure involving web shells, downloaders, IRC bots, and bruteforcer modules to infiltrate systems. It focuses on services such as FTP, MySQL, PostgreSQL, and phpMyAdmin, targeting weak or default credentials on internet-exposed Linux servers.
Researchers estimate that more than 50,000 servers remain vulnerable, with millions of instances exposed: around 5.7 million FTP servers, 2.23 million MySQL servers, and 560,000 PostgreSQL servers operating on default ports. The botnet's success stems from widespread use of AI-suggested usernames like "appuser" and "myuser," alongside a database of 375 to 600 common weak passwords. These credential lists overlap with 2.44% of a collection of 10 million leaked passwords, making attacks viable despite the modest overlap rate. A 2024 Google Cloud Threat Horizons report noted that weak credentials facilitated 47.2% of initial cloud breaches, underscoring the method's effectiveness.
The updated IRC bot, now written in Go and obfuscated with Garbler, replaces an earlier C-based version. It employs process-masking techniques, renaming itself to "init" and hiding arguments to evade detection. Command-and-control servers distribute batches of 200 credentials, rotating profiles multiple times weekly. Infected machines scan up to 20 IP addresses per second with low bandwidth—about 64 kb/s outbound during FTP operations—and run 95 concurrent threads on 64-bit systems.
Some campaigns show financial motives, deploying tools to scan TRON wallets and sweep tokens from Binance Smart Chain. On one compromised server, analysts recovered a file with roughly 23,000 TRON addresses, with on-chain data confirming successful thefts. The botnet avoids private networks, cloud providers, and U.S. Department of Defense ranges to minimize detection risks. It also tailors attacks for sectors, using crypto-themed usernames or targeting XAMPP stacks with default FTP setups.
For resilience, it includes hardcoded fallback C2 addresses and promotes infected hosts as relays. Components update twice daily via MD5-verified scripts. To counter these threats, experts recommend strong passwords, disabling unused services, multi-factor authentication, and vigilant login monitoring.
