GoBruteforcer opportunistic brute-force campaign against Linux servers
Campaign
Summary
Hide ▲
Show ▼
The GoBruteforcer botnet is running an opportunistic brute-force campaign against Internet-facing Linux servers, turning weakly protected hosts into new attack nodes and raising the risk of wider compromise. Researchers say the current wave could leave 50,000+ servers vulnerable. The operation abuses weak credentials on FTP, MySQL, Postgre, and phpMyAdmin and is tied to data theft and initial access sales.
Related Happenings
HPE OneView RondoDox exploitation wave (CVE-2025-37164)
Exploitation Wave
First: 16.01.2026 11:15
Last: 16.01.2026 11:15
Sources 1
About this happening:
**RondoDox** has driven a **large-scale exploitation wave** against **HPE OneView** by targeting **CVE-2025-37164**, with activity escalating into **automated attacks** that creat...
HPE OneView RondoDox exploitation wave (CVE-2025-37164)
Exploitation WaveAbout this happening: **RondoDox** has driven a **large-scale exploitation wave** against **HPE OneView** by targeting **CVE-2025-37164**, with activity escalating into **automated attacks** that creat...
VoidLink analysis reveals Kubernetes/Docker checks and modular anti-analysis behavior
Technical Analysis
First: 14.01.2026 00:12
Last: 14.01.2026 00:12
Sources 1
About this happening:
**VoidLink** is a **Linux C2 framework** built for **cloud and container environments**, with **multi-cloud targeting** across **AWS, Google Cloud Platform, Microsoft Azure, Aliba...
VoidLink analysis reveals Kubernetes/Docker checks and modular anti-analysis behavior
Technical AnalysisAbout this happening: **VoidLink** is a **Linux C2 framework** built for **cloud and container environments**, with **multi-cloud targeting** across **AWS, Google Cloud Platform, Microsoft Azure, Aliba...
VoidLink modular Linux malware framework for cloud and container operations
Malware Activity
First: 13.01.2026 16:31
Last: 13.01.2026 16:31
Sources 1
About this happening:
Researchers uncovered **VoidLink**, a new **Linux malware framework** that expands **C2**, **persistence**, and **post-exploitation** options against **cloud and container environ...
VoidLink modular Linux malware framework for cloud and container operations
Malware ActivityAbout this happening: Researchers uncovered **VoidLink**, a new **Linux malware framework** that expands **C2**, **persistence**, and **post-exploitation** options against **cloud and container environ...
Latest development: 21.01.2026 14:51
Check Point Research concluded that the VoidLink Linux malware targeting Linux-based cloud servers was largely built by AI, likely under the direction of one person, after reviewing exposed planning documents, AI-generated documentation, and the malware's rapid evolution from concept to a working framework in about four weeks rather than the planned 30 weeks.
GoBruteforcer botnet expands against crypto and blockchain project databases
Malware Activity
First: 12.01.2026 12:48
Last: 12.01.2026 12:48
Sources 1
How related:
Although GoBruterforcer was first reported publicly in 2023, Check Point covered a newer variant in its blog post with a more sophisticated feature set and improved obfuscation.
About this happening:
The **GoBruteforcer** botnet has entered a **new wave of attacks** that targets **cryptocurrency and blockchain project databases** and turns **Linux servers** into credential-bru...
GoBruteforcer botnet expands against crypto and blockchain project databases
Malware ActivityHow related: Although GoBruterforcer was first reported publicly in 2023, Check Point covered a newer variant in its blog post with a more sophisticated feature set and improved obfuscation.
About this happening: The **GoBruteforcer** botnet has entered a **new wave of attacks** that targets **cryptocurrency and blockchain project databases** and turns **Linux servers** into credential-bru...
GoBruteforcer botnet brute-forces exposed Linux servers with a more capable mid-2025 variant
Malware Activity
First: 08.01.2026 19:30
Last: 08.01.2026 19:30
Sources 1
How related:
GoBruteforcer is split into an IRC bot that remotely controls compromised servers and a server bruteforcer capable of scanning public IP ranges to attempt logins.
About this happening:
**GoBruteforcer** is actively brute-forcing **Linux servers exposed to the internet**, creating a broad risk of compromise, **data theft** and **botnet expansion**. The operation...
GoBruteforcer botnet brute-forces exposed Linux servers with a more capable mid-2025 variant
Malware ActivityHow related: GoBruteforcer is split into an IRC bot that remotely controls compromised servers and a server bruteforcer capable of scanning public IP ranges to attempt logins.
About this happening: **GoBruteforcer** is actively brute-forcing **Linux servers exposed to the internet**, creating a broad risk of compromise, **data theft** and **botnet expansion**. The operation...
Timeline
-
07.01.2026 02:00 2 articles · 4mo ago
Check Point details GoBruteforcer on Jan. 7
Initial DisclosureCheck Point Research details GoBruteforcer, a modular botnet that brute-forces weak credentials on Internet-facing Linux servers exposing services such as FTP, MySQL, Postgre, and phpMyAdmin, then turns compromised hosts into nodes that launch further brute-force attacks. The analysis says the latest variant adds improved obfuscation, persistence mechanisms, process-masking tricks, and dynamic credential lists, and estimates that more than 50,000 Internet-facing servers may be vulnerable. Check Point also links the current wave to reused AI-generated server deployment examples, weak defaults, and legacy web stacks such as XAMPP.
Show sources
- GoBruteforcer Botnet Targets 50K-plus Linux Servers — www.darkreading.com — 12.01.2026 23:19
- GoBruteforcer Botnet Targets 50K-plus Linux Servers — www.darkreading.com — 12.01.2026 23:19