In order to create a botnet that can brute-force user passwords for services like FTP, MySQL, PostgreSQL, and phpMyAdmin on Linux servers, a recent wave of GoBruteforcer attacks has targeted databases of cryptocurrency and blockchain projects.According to an analysis released last week by Check Point Research, "the current wave of campaigns is driven by two factors: the persistence of legacy web stacks like XAMPP that expose FTP and admin interfaces with minimal hardening, and the mass reuse of AI-generated server deployment examples that propagate common usernames and weak defaults."

The ability of GoBruteforcer, also known as GoBrut, to target Unix-like platforms running x86, x64, and ARM architectures to deploy an Internet Relay Chat (IRC) bot and a web shell for remote access, along with retrieving a brute-force module to scan for vulnerable systems and expand the botnet's reach, was initially documented by Palo Alto Networks Unit 42 in March 2023. In September 2025, the Black Lotus Labs team at Lumen Technologies discovered that a portion of the infected bots controlled by SystemBC, another malware family, were also a part of the GoBruteforcer botnet.

Check Point reported that in the middle of 2025, it discovered a more advanced version of the Golang malware that included enhanced persistence mechanisms, process-masking techniques, dynamic credential lists, and a heavily obfuscated IRC bot rewritten in the cross-platform programming language. "The botnet's operators profit from the large number of misconfigured services that stay online, even though the botnet itself is technically simple." The revelation coincides with GreyNoise's revelation that threat actors are routinely searching the internet for improperly configured proxy servers that might grant access to for-profit LLM services.

Between October 2025 and January 2026, one of the two campaigns used server-side request forgery (SSRF) vulnerabilities to target Twilio SMS webhook integrations and Ollama's model pull functionality.

It is hypothesized that the activity most likely comes from security researchers or bug bounty hunters based on the use of ProjectDiscovery's OAST infrastructure. A high-volume enumeration effort to find exposed or incorrectly configured LLM endpoints connected to Alibaba, Anthropic, DeepSeek, Google, Meta, Mistral, OpenAI, and xAI is considered the second set of activities, which begins on December 28, 2025. IP addresses 45.88.186[.

]70 and 204.76.203[. ]125 were the source of the scanning.