CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

GoBruteforcer Botnet Expands Attacks on Linux Servers

First reported
Last updated
3 unique sources, 3 articles

Summary

Hide ▲

The GoBruteforcer botnet has expanded its attacks to target databases of cryptocurrency and blockchain projects, exploiting weak credentials and misconfigured software. Over 50,000 publicly accessible servers are vulnerable, with the botnet turning compromised machines into scanning and attack nodes. A more capable variant of the malware, written in Go, was observed in mid-2025, featuring heavier obfuscation and stronger persistence. The botnet exploits predictable usernames and weak defaults, targeting exposed services like XAMPP and WordPress admin panels. Financial motives are evident, with tools found to scan TRON balances and sweep tokens on TRON and Binance Smart Chain. On-chain analysis confirms some successful attacks, though most affected addresses held small balances. The botnet uses common operational usernames such as 'myuser' and 'appuser', and common passwords like '123321' and 'testing'. GoBruteforcer campaigns tweak the credential sets depending on the target, including cryptocurrency-themed usernames and passwords.

Timeline

  1. 12.01.2026 12:48 1 articles · 1d ago

    GoBruteforcer Targets Cryptocurrency and Blockchain Project Databases

    A new wave of GoBruteforcer attacks has targeted databases of cryptocurrency and blockchain projects. The botnet uses common usernames and weak defaults from AI-generated server deployment examples. A more sophisticated version of the malware was identified in mid-2025 with improved obfuscation and persistence. The botnet uses a small, stable password pool for each campaign, refreshing per-task lists from that pool. Compromised hosts are used to stage modules that query TRON blockchain addresses for non-zero funds.

    Show sources
    Open in new tab
  2. 08.01.2026 19:30 3 articles · 5d ago

    GoBruteforcer Botnet Targets Linux Servers with Brute-Force Attacks

    The GoBruteforcer botnet has been actively targeting Linux servers with large-scale brute-force attacks against common services like FTP, MySQL, PostgreSQL, and phpMyAdmin. Over 50,000 publicly accessible servers are vulnerable due to weak credentials and misconfigured software. The botnet turns compromised machines into scanning and attack nodes, leading to data theft, backdoor creation, and further spread. A more capable variant of the malware, written in Go, was observed in mid-2025, featuring heavier obfuscation and stronger persistence. The botnet exploits predictable usernames and weak defaults, targeting exposed services like XAMPP and WordPress admin panels. Financial motives are evident, with tools found to scan TRON balances and sweep tokens on TRON and Binance Smart Chain. On-chain analysis confirms some successful attacks, though most affected addresses held small balances. The botnet uses common operational usernames such as 'myuser' and 'appuser', and common passwords like '123321' and 'testing'. GoBruteforcer campaigns tweak the credential sets depending on the target, including cryptocurrency-themed usernames and passwords.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Increased Botnet Activity Targeting PHP Servers, IoT Devices, and Cloud Gateways

Botnets such as Mirai, Gafgyt, and Mozi are exploiting known vulnerabilities and cloud misconfigurations to target PHP servers, IoT devices, and cloud gateways. This trend is driven by the widespread use of PHP in web applications and the prevalence of cloud misconfigurations, which expand the attack surface. The attacks aim at remote code execution (RCE) and data theft. The vulnerabilities exploited include CVE-2022-47945 in ThinkPHP, CVE-2021-3129 in Laravel Ignition, and CVE-2017-9841 in PHPUnit. Additionally, insecure configurations and exposed AWS credentials are being targeted. IoT devices with outdated firmware and cloud-native environments are also at risk, with botnets being used for credential stuffing and password spraying campaigns. Xdebug debugging sessions are being exploited to gain insight into application behavior or extract sensitive data. The scanning activity often originates from cloud infrastructures like Amazon Web Services (AWS), Google Cloud, Microsoft Azure, Digital Ocean, and Akamai Cloud, illustrating how threat actors are abusing legitimate services to their advantage while obscuring their true origins.

Open in new tab

RondoDox botnet exploits 56 n-day vulnerabilities in global attacks

The RondoDox botnet has been actively exploiting over 50 vulnerabilities across more than 30 vendors since May 2025. The botnet uses an 'exploit shotgun' strategy to maximize infections, targeting both older and more recent vulnerabilities. The list of exploited vulnerabilities includes CVE-2023-1389, a flaw in the TP-Link Archer AX21 Wi-Fi router, and others demonstrated at Pwn2Own events. The botnet's activity poses significant risks, especially for devices that have reached end-of-life and are more likely to remain unpatched. Many users also tend to ignore firmware updates for supported hardware, increasing the risk of exploitation. The botnet targets 35 to 40 vulnerabilities found in consumer-oriented devices, which are often unmanaged and rarely updated. In late September, a 230% surge in the botnet's attacks was reported, fueled by the exploitation of weak credentials, unsanitized input, and old CVEs. The infected devices are abused for cryptocurrency mining, distributed denial-of-service (DDoS) attacks, and for hacking into enterprise networks. The botnet's impact scale is potentially quite large, though not yet fully known. To mitigate the threat, users are advised to apply the latest firmware updates, replace end-of-life equipment, segment their networks, and use strong, unique passwords.

Open in new tab

TwoNet hacktivists target critical infrastructure with realistic honeypot attack

The pro-Russian hacktivist group TwoNet, previously known for DDoS attacks, targeted a water treatment facility in September 2025. The facility was a realistic honeypot set up by Forescout researchers to observe adversaries’ movements. The attack demonstrated TwoNet’s ability to move from initial access to disruptive actions in approximately 26 hours. The group exploited default credentials, SQL vulnerabilities, and an XSS flaw to gain access and disrupt operations. They created a new user account, displayed a hacking message, and disabled real-time updates and alarms. The intrusion was detected and logged by Forescout researchers monitoring the honeypot. TwoNet publicly claimed responsibility for the attack on its Telegram channel. The attack originated from an IP address linked to a German hosting provider, and the attacker used the Firefox browser on the Linux operating system. The attacker conducted defacement, process disruption, manipulation, and evasion activities. TwoNet has expanded its activities to include targeting HMI and SCADA interfaces, publishing personal details of personnel, and offering cybercrime services. The group has also ceased operations as of September 30, 2025, according to a message in an affiliated group, CyberTroops.

Open in new tab

Increased Scanning Activity on Palo Alto Networks Login Portals

A significant increase in scanning activity targeting Palo Alto Networks login portals was observed on October 3, 2025. The activity involved 1,300 unique IP addresses, with 91% classified as suspicious and 7% as malicious. The scans were geolocated primarily in the U.S., with smaller clusters in the U.K., the Netherlands, Canada, and Russia. The scans were directed at Palo Alto GlobalProtect and PAN-OS profiles, indicating targeted reconnaissance efforts. This surge shares characteristics with recent scanning activity targeting Cisco ASA devices, which was followed by the disclosure of zero-day vulnerabilities. An automated campaign targeting multiple VPN platforms, including Palo Alto Networks GlobalProtect and Cisco SSL VPN, was observed starting on December 11, 2025. The number of login attempts aimed at GlobalProtect portals peaked at 1.7 million during a 16-hour period. The attacks originated from more than 10,000 unique IP addresses, primarily from the 3xK GmbH (Germany) IP space, and targeted infrastructure in the United States, Mexico, and Pakistan. The threat actor reused common username and password combinations, with most requests using an uncommon Firefox user agent for automated login activity. The activity reflects scripted credential probing designed to identify exposed or weakly protected GlobalProtect portals. On December 12, 2025, activity from the same hosting provider using the same TCP fingerprint started probing Cisco SSL VPN endpoints, with unique attack IPs jumping to 1,273 from a normal baseline of less than 200. The login payloads followed normal SSL VPN authentication flows, indicating automated credential attacks rather than exploits. Palo Alto Networks confirmed the activity and recommended using strong passwords and multi-factor authentication protection.

Open in new tab

GPUGate Malware Campaign Targets IT Firms in Western Europe

A sophisticated malware campaign, codenamed GPUGate, targets IT and software development companies in Western Europe, with recent expansions to macOS users. The campaign leverages Google Ads, SEO poisoning, and fake GitHub commits to deliver malware, including the Atomic macOS Stealer (AMOS) and Odyssey. The attack began in December 2024 and uses a 128 MB Microsoft Software Installer (MSI) to evade detection. The malware employs GPU-gated decryption and various techniques to avoid analysis and detection. The end goal is information theft and delivery of secondary payloads. The threat actors have native Russian language proficiency and use a cross-platform approach. The campaign has expanded to target macOS users through fake Homebrew, LogMeIn, and TradingView platforms. These platforms impersonate popular tools and use SEO poisoning to distribute the Atomic Stealer malware and Odyssey. The threat actors use multiple GitHub usernames to evade takedowns and deploy malware via Terminal commands. Similar tactics have been observed in previous campaigns using malicious Google Ads and public GitHub repositories. The AMOS malware now includes a backdoor component for persistent, stealthy access to compromised systems. The campaign impersonates over 100 software solutions, including 1Password, Dropbox, Confluence, Robinhood, Fidelity, Notion, Gemini, Audacity, Adobe After Effects, Thunderbird, and SentinelOne. The fake GitHub pages were created on September 16, 2025, and were immediately submitted for takedown. The campaign has been active since at least April 2023, with previous similar campaigns observed in July 2025. A new AMOS infostealer campaign abuses Google search ads to lure users into Grok and ChatGPT conversations that lead to installing the AMOS malware on macOS. The campaign was first spotted by researchers at Kaspersky, with a more detailed report by Huntress. The ClickFix attack begins with victims searching for macOS-related terms, leading to malicious instructions in AI chats. The malicious instructions are hosted on legitimate LLM platforms and contain commands to install the malware. The base64-encoded URL decodes into a bash script that loads a fake password prompt dialog. The script validates, stores, and uses the provided password to execute privileged commands, including downloading and executing the AMOS infostealer. AMOS was first documented in April 2023 and is a malware-as-a-service (MaaS) operation targeting macOS systems exclusively. AMOS added a backdoor module earlier this year, allowing operators to execute commands, log keystrokes, and drop additional payloads. AMOS is dropped as a hidden file and scans for cryptocurrency wallets, browser data, macOS Keychain data, and files on the filesystem. Persistence is achieved via a LaunchDaemon running a hidden AppleScript that restarts the malware if terminated. Users are advised to be vigilant and avoid executing commands they found online, especially if they don't fully understand what they do. Kaspersky noted that asking ChatGPT if the provided instructions are safe reveals they are not.

Open in new tab