A new wave of GoBruteforcer attacks is targeting cryptocurrency and blockchain projects by exploiting weak credentials found in AI-generated code and legacy web stacks. This sophisticated botnet co-opts Linux servers to scan for vulnerable services and perform financial reconnaissance on blockchain addresses.

The GoBruteforcer malware, also known as GoBrut, has evolved into a more sophisticated threat that targets Unix-like platforms across various architectures. Recent analysis reveals that the latest version includes heavily obfuscated components, improved persistence mechanisms, and process-masking techniques to avoid detection. The botnet operates by deploying an IRC-based command and control structure alongside web shells, allowing attackers to remotely manage infected hosts. These compromised systems are then used to either expand the botnet through brute-force attacks on services like MySQL and PostgreSQL or to act as distribution points for further malware payloads.

A significant driver of this campaign's success is the widespread use of default credentials and weak configurations. Research indicates that many of the targeted usernames and passwords are derived from common database tutorials and documentation used to train large language models. Consequently, when developers use AI-generated code snippets for server deployment, they inadvertently propagate insecure defaults. Additionally, legacy web stacks such as XAMPP remain a primary target because they often expose sensitive admin interfaces and FTP services with minimal hardening, providing an easy entry point for the initial infection.

Once a server is compromised, the attackers utilize it for specialized tasks, including scanning the internet for other vulnerable hosts or hosting backup command-and-control infrastructure. A notable recent development in this campaign is the inclusion of a module designed specifically to iterate through TRON blockchain addresses. By querying an API to identify accounts with non-zero balances, the threat actors demonstrate a clear intent to move beyond simple resource hijacking toward direct financial theft from blockchain projects and cryptocurrency users.

Parallel to these attacks, there has been a massive increase in automated reconnaissance targeting large language model services. Security researchers have identified high-volume scanning efforts aimed at finding misconfigured proxy servers that might leak access to commercial APIs from providers like OpenAI and Anthropic. Some of these campaigns leverage server-side request forgery vulnerabilities to exploit model pull functionalities. This suggests that while one group of attackers is exploiting AI-generated output, another is actively hunting for ways to hijack the AI infrastructure itself.

Ultimately, GoBruteforcer highlights a persistent security gap created by the combination of exposed infrastructure and increasingly automated exploitation tools. While the botnet's technical foundation is relatively straightforward, it thrives on the vast number of misconfigured services that remain online. The transition toward targeting blockchain assets and leveraging the artifacts of AI training data marks a shift in how botnet operators identify and exploit the modern digital landscape.

Source: GoBruteforcer Botnet Targets Crypto Project Databases Using Weak Credentials