Find notable cyber news and cases, enriched with sources, timelines, and signals.

GoBruteforcer botnet brute-forces exposed Linux servers with a more capable mid-2025 variant

Malware Activity
First reported
Last updated
Happening score
H score 72
3 unique sources, 3 articles

Summary

Hide ▲

GoBruteforcer is actively brute-forcing Linux servers exposed to the internet, creating a broad risk of compromise, data theft and botnet expansion. The operation targets common services including FTP, MySQL, PostgreSQL and phpMyAdmin, especially where credentials are weak or deployments are misconfigured. Compromised machines are turned into scanning and attack nodes, which extends the botnet's reach beyond the initial login attack. A more capable mid-2025 variant adds heavier obfuscation, stronger persistence and process-disguise techniques.

Related Happenings

JDY botnet reconnaissance expansion to 1,500+ SOHO/IoT devices

Malware Activity
H score33 First: 10.06.2026 19:08 Last: 10.06.2026 19:08 Sources 1

About this happening: The **JDY botnet** has expanded to **more than 1,500 compromised SOHO/IoT devices**, making it a larger-scale **reconnaissance scanner** for exposed infrastructure and follow-on t...

JDY botnet expanded reconnaissance and flaw-focused scanning activity

Malware Activity
H score27 First: 10.06.2026 18:00 Last: 10.06.2026 18:00 Sources 1

About this happening: The **JDY botnet** has expanded its **reconnaissance and flaw-focused scanning**, increasing the risk that exposed infrastructure will be rapidly identified and targeted. Research...

Glassworm botnet command-and-control disruption

Malware Activity
H score10 First: 27.05.2026 17:00 Last: 27.05.2026 17:00 Sources 1

About this happening: The **Glassworm** botnet had all **four command-and-control channels** disrupted, cutting operators off from infected machines and blocking new payload delivery. The infrastructur...

Mistral AI hit by network compromise

Incident
H score36 First: 15.05.2026 01:50 Last: 15.05.2026 01:50 Sources 1

About this happening: Mistral AI disclosed a **codebase management system compromise** tied to the **Mini Shai-Hulud** supply-chain attack, and the intrusion briefly contaminated some **SDK packages**....

PCPJack worm-like credential theft framework

Malware Activity
H score27 First: 07.05.2026 20:45 Last: 07.05.2026 20:45 Sources 1

About this happening: The **PCPJack** malware framework now conducts **credential theft** across exposed cloud infrastructure, raising the risk of account takeover and follow-on intrusion. It matters b...

Timeline

  1. 08.01.2026 19:30 3 articles · 6mo ago

    GoBruteforcer advisory describes active brute-force targeting of exposed Linux servers

    Initial Disclosure

    Check Point Research published an advisory describing GoBruteforcer actively brute-forcing Linux servers exposed to the internet through FTP, MySQL, PostgreSQL and phpMyAdmin, with more than 50,000 publicly accessible servers assessed as potentially vulnerable because of weak credentials and misconfigured software. The activity uses compromised machines as scanning and attack nodes, rotates several times a week, and includes campaigns that probe random IP ranges or target crypto-themed usernames and phpMyAdmin panels; researchers also noted a more capable variant observed in mid-2025, written in Go with heavier obfuscation, stronger persistence and process-disguise techniques.

    Show sources