Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

GoBruteforcer botnet brute-forces exposed Linux servers with a more capable mid-2025 variant

Malware Activity
First reported
Last updated
Happening score
H score 36
3 unique sources, 3 articles

Summary

Hide ▲

GoBruteforcer is actively brute-forcing Linux servers exposed to the internet, creating a broad risk of compromise, data theft and botnet expansion. The operation targets common services including FTP, MySQL, PostgreSQL and phpMyAdmin, especially where credentials are weak or deployments are misconfigured. Compromised machines are turned into scanning and attack nodes, which extends the botnet's reach beyond the initial login attack. A more capable mid-2025 variant adds heavier obfuscation, stronger persistence and process-disguise techniques.

Related Happenings

Glassworm botnet command-and-control disruption

Malware Activity
First: 27.05.2026 17:00 Last: 27.05.2026 17:00 Sources 1

About this happening: The **Glassworm** botnet had all **four command-and-control channels** disrupted, cutting operators off from infected machines and blocking new payload delivery. The infrastructur...

Open Happening

Mistral AI hit by network compromise

Incident
First: 15.05.2026 01:50 Last: 15.05.2026 01:50 Sources 1

About this happening: Mistral AI disclosed a **codebase management system compromise** tied to the **Mini Shai-Hulud** supply-chain attack, and the intrusion briefly contaminated some **SDK packages**....

Open Happening

PCPJack worm-like credential theft framework

Malware Activity
First: 07.05.2026 20:45 Last: 07.05.2026 20:45 Sources 1

About this happening: The **PCPJack** malware framework now conducts **credential theft** across exposed cloud infrastructure, raising the risk of account takeover and follow-on intrusion. It matters b...

Open Happening

Unit 42 Zealot proves autonomous cloud attack chaining in GCP

Technical Analysis
First: 23.04.2026 13:00 Last: 23.04.2026 13:00 Sources 1

About this happening: **Unit 42's Zealot PoC** shows autonomous AI can chain cloud attack stages in a live **Google Cloud Platform** environment, shrinking defender reaction time to minutes. The system...

Open Happening

RondoDox botnet expands mining and DDoS capabilities

Malware Activity
First: 16.04.2026 20:52 Last: 16.04.2026 20:52 Sources 1

About this happening: **RondoDox botnet** now combines **cryptocurrency mining with XMRig** and **DDoS attacks**, expanding both monetization and disruption risk across exposed systems. It reaches targ...

Open Happening

Timeline

  1. 08.01.2026 19:30 3 articles · 4mo ago

    GoBruteforcer advisory describes active brute-force targeting of exposed Linux servers

    Initial Disclosure

    Check Point Research published an advisory describing GoBruteforcer actively brute-forcing Linux servers exposed to the internet through FTP, MySQL, PostgreSQL and phpMyAdmin, with more than 50,000 publicly accessible servers assessed as potentially vulnerable because of weak credentials and misconfigured software. The activity uses compromised machines as scanning and attack nodes, rotates several times a week, and includes campaigns that probe random IP ranges or target crypto-themed usernames and phpMyAdmin panels; researchers also noted a more capable variant observed in mid-2025, written in Go with heavier obfuscation, stronger persistence and process-disguise techniques.

    Show sources
    Open in new tab