GoBruteforcer botnet expands against crypto and blockchain project databases
Malware Activity
Summary
Hide ▲
Show ▼
The GoBruteforcer botnet has entered a new wave of attacks that targets cryptocurrency and blockchain project databases and turns Linux servers into credential-brute-forcing nodes. The malware now uses obfuscated IRC bot code, improved persistence, process masking, and dynamic credential lists to reach FTP, MySQL, PostgreSQL, and phpMyAdmin. Infected hosts can also host payloads and act as backup C2, increasing resilience. The observed intrusion path starts with exposed XAMPP FTP access and a PHP web shell that downloads and runs the bot.
Related Happenings
TrueChaos TrueConf CVE-2026-3502 campaign targeting Southeast Asian government entities
Campaign
First: 02.04.2026 00:35
Last: 02.04.2026 00:35
Sources 1
About this happening:
The **TrueChaos** campaign has been exploiting **CVE-2026-3502** in **TrueConf** zero-day attacks against **government entities in Southeast Asia**, turning compromised servers in...
TrueChaos TrueConf CVE-2026-3502 campaign targeting Southeast Asian government entities
CampaignAbout this happening: The **TrueChaos** campaign has been exploiting **CVE-2026-3502** in **TrueConf** zero-day attacks against **government entities in Southeast Asia**, turning compromised servers in...
AVRecon malware for Linux powering SocksEscort proxy network
Malware Activity
First: 12.03.2026 18:19
Last: 12.03.2026 18:19
Sources 1
About this happening:
The **AVRecon** malware for Linux powered the **SocksEscort** proxy network, turning compromised **Linux-based SOHO routers** into traffic-routing nodes at scale. It was believed...
AVRecon malware for Linux powering SocksEscort proxy network
Malware ActivityAbout this happening: The **AVRecon** malware for Linux powered the **SocksEscort** proxy network, turning compromised **Linux-based SOHO routers** into traffic-routing nodes at scale. It was believed...
Uphero/hero trojanized 7-Zip installer proxyware activity
Malware Activity
First: 10.02.2026 21:12
Last: 10.02.2026 21:12
Sources 1
About this happening:
A **trojanized 7-Zip installer** is now dropping **Uphero/hero** payloads that turn **Windows hosts** into **residential proxy nodes**, letting attackers route traffic through vic...
Uphero/hero trojanized 7-Zip installer proxyware activity
Malware ActivityAbout this happening: A **trojanized 7-Zip installer** is now dropping **Uphero/hero** payloads that turn **Windows hosts** into **residential proxy nodes**, letting attackers route traffic through vic...
AISURU/Kimwolf hyper-volumetric DDoS botnet activity
Malware Activity
First: 05.02.2026 19:25
Last: 05.02.2026 19:25
Sources 1
About this happening:
The **AISURU/Kimwolf** botnet is a **malware activity** cluster tied to **hyper-volumetric DDoS attacks** and large-scale device conscription. On **2025-12-04**, Cloudflare said i...
AISURU/Kimwolf hyper-volumetric DDoS botnet activity
Malware ActivityAbout this happening: The **AISURU/Kimwolf** botnet is a **malware activity** cluster tied to **hyper-volumetric DDoS attacks** and large-scale device conscription. On **2025-12-04**, Cloudflare said i...
Latest development: 20.03.2026 08:25
The U.S. Department of Justice disrupted command-and-control infrastructure used by AISURU, Kimwolf, JackSkid, and Mossad in a court-authorized law-enforcement operation, with support from Akamai, Amazon Web Services, Cloudflare, DigitalOcean, Google, Lumen, Nokia, Okta, Oracle, PayPal, SpyCloud, Synthient, Team Cymru, Unit 221B, and QiAnXin XLab.
Sicarii ransomware per-execution RSA key generation breaks decryption
Malware Activity
First: 28.01.2026 00:15
Last: 28.01.2026 00:15
Sources 1
About this happening:
The **Sicarii ransomware** now stands out for a **broken decryption process** that generates a new **RSA key pair** on each execution and discards the private key, leaving victims...
Sicarii ransomware per-execution RSA key generation breaks decryption
Malware ActivityAbout this happening: The **Sicarii ransomware** now stands out for a **broken decryption process** that generates a new **RSA key pair** on each execution and discards the private key, leaving victims...
Timeline
-
12.01.2026 12:48 3 articles · 4mo ago
GoBruteforcer campaign disclosed against crypto and blockchain project databases
Initial DisclosureGoBruteforcer campaigns are targeting cryptocurrency and blockchain project databases on Linux servers to build a botnet that brute-forces credentials for FTP, MySQL, PostgreSQL, and phpMyAdmin. The observed access path often starts with an internet-exposed FTP service on XAMPP, followed by a PHP web shell upload that downloads and executes an updated IRC bot, while compromised hosts can also host payloads, provide backup C2, and stage a module that queries TRON balances through tronscanapi[.]com to find accounts with non-zero funds.
Show sources
- GoBruteforcer Botnet Targets Crypto Project Databases by Exploiting Weak Credentials — thehackernews.com — 12.01.2026 12:48
- GoBruteforcer Botnet Targets Crypto Project Databases by Exploiting Weak Credentials — thehackernews.com — 12.01.2026 12:48
- GoBruteforcer Botnet Targets 50K-plus Linux Servers — www.darkreading.com — 12.01.2026 23:19