Hackers are hijacking tens of thousands of poorly secured servers to build a botnet that targets cryptocurrency wallets containing funds. More than 50,000 internet-facing servers with weak passwords may be vulnerable, according to research.
Security researchers at Check Point have reported that the malware known as GoBruteforcer is being used to build a botnet capable of brute-forcing login credentials to cryptocurrency infrastructures.
Malware is primarily targeting FTP, MySQL, PostgreSQL, and phpMyAdmin on Linux systems with weak passwords and reused default settings. Newly discovered weak credentials are used to steal data, create backdoor accounts, sell access, and expand the botnet. Infected hosts are incorporated into the botnet and accept remote operator commands.
According to the report, millions of database and file-transfer servers are publicly reachable on their default ports. Recent data show that roughly 5.7 million FTP servers, 2.23 million MySQL servers, and about 560,000 PostgreSQL servers are exposed to the internet.
Malware targets weak passwords
Palo Alto Networks’ Unit 42 first reported GoBruteforcer in March 2023, explaining that it can run on various types of Linux and Unix-based servers, regardless of whether they use x86, x64, or ARM processors.
As reported last week, Check Point discovered a more advanced version of this malware in mid-2025. Researchers say that the newer variant is more difficult to detect and remains on infected systems for a longer period.
For GoBruteforcer to succeed, the attackers must guess not only a weak password but also a valid username that accepts remote logins.
“We observed that real GoBruteforcer attacks use common operational usernames such as appuser and myuser in their brute-force credential lists,” Check Point researchers noted.
The malware relies on common, poorly chosen usernames and passwords, such as myuser:Abcd@123 or appeaser:admin123456. These combinations are often copied from official guides and tutorials, which makes them easy targets for attackers.
These same examples have been absorbed into large language models, causing AI-generated setup scripts to repeat them.
Other usernames in the list directly reference cryptocurrency projects, such as cryptouser, appcrypto, and crypto_app, while another set targets phpMyAdmin installations with logins like root, wordpress, and wpuser.
“The attackers reuse a small, stable password pool for each campaign,” Check Point noted, adding that usernames and niche variations are rotated several times a week to chase different targets.
FTP attacks are even more straightforward, relying on a hardcoded list of credentials embedded directly into the malware binary, targeting default web-hosting environments.
How does the malware work?
In observed attacks, internet-facing FTP services on XAMPP servers are often the entry point. Attackers upload a PHP web shell, then use it to download and deploy Internet Relay Chat (IRC) bot to set up a remote control channel so attackers can send commands.
The malware also downloads a tool that scans the internet for other weak servers to attack and add to the botnet. Once compromised, a server can be used to run password-guessing attacks against other systems across the internet.
It can also store and distribute malware to infect additional servers or operate as an IRC-style command-and-control node or backup C2 server to maintain the operation.
One compromised host analyzed by Check Point was also used to stage a module that scanned TRON blockchain addresses.
“On one compromised host, we recovered Go-based tools, a TRON balance scanner and TRON and BSC “token-sweep” utilities, together with a file containing ~23,000 TRON addresses,” said the researchers.
“On-chain transaction analysis involving the botnet operators’ recipient wallets shows that at least some of these financially motivated attacks were successful,” they added.
The module queried balances via the tronscanapi service, hunting for wallets with funds. It is a strong indication that blockchain projects are a deliberate target, not collateral damage.
Legacy systems pose a risk
According to Check Point Research, the current surge is driven by developers increasingly relying on AI-generated server setup guides that recycle the same example usernames and weak credentials.
Another reason for attacks is that many organizations are still running outdated web stacks, such as XAMPP, often with FTP and admin panels exposed to the internet and barely hardened.
“GoBruteforcer exemplifies a broader and persistent problem: The combination of exposed infrastructure, weak credentials, and increasingly automated tools. While the botnet itself is technically straightforward, its operators benefit from the vast number of misconfigured services that remain online,” Check Point warned.
By late 2025, researchers at Lumen Technologies’ Black Lotus Labs discovered that some GoBruteforcer-infected machines were also controlled by another malware family called SystemBC, suggesting that multiple threat groups were overlapping or sharing infrastructure.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked