research.checkpoint.com/2026/insi…
Check Point Research has detailed GoBruteforcer (also known as GoBrut), a modular botnet written in Go that brute-forces user passwords for services such as FTP, MySQL, PostgreSQL, and phpMyAdmin on Linux servers. The botnet propagates through a chain of components, including a web shell, downloader, IRC bot, and bruteforcer modules.
The current wave of campaigns is driven by two primary factors: the widespread reuse of AI-generated server deployment examples that promote common usernames and weak default credentials, and the continued use of legacy web stacks such as XAMPP, which expose FTP and administrative interfaces with minimal hardening.
According to Check Point’s estimates, more than 50,000 Internet-facing servers may be vulnerable to GoBruteforcer attacks.
Check Point Research also observed a GoBruteforcer campaign targeting databases associated with cryptocurrency and blockchain projects. On one compromised host, researchers recovered Go-based tooling, including a TRON balance scanner and TRON and BSC token-sweeping utilities, along with a file containing approximately 23,000 TRON addresses. On-chain transaction analysis involving wallets controlled by the botnet operators indicates that at least some of these financially motivated attacks were successful.
