A coordinated malware campaign is quietly breaking into poorly secured servers linked to cryptocurrency and blockchain projects and turning them into part of a growing botnet. The activity focuses on databases and admin panels that rely on reused or weak credentials which attackers can easily guess and abuse.
Security researchers say the campaign relies on a malware strain known as GoBruteforcer or GoBrut. It is designed to compromise Linux servers and then force its way into services such as FTP, MySQL, PostgreSQL and phpMyAdmin. According to researchers “The current wave of campaigns is driven by two factors: the mass reuse of AI-generated server deployment, examples that propagate common usernames and weak defaults, and the persistence of legacy web stacks such as XAMPP that expose FTP and admin interfaces with minimal hardening.” The malware was first documented in March 2023 and later linked to another botnet family in September 2025, showing how different threat groups reuse the same infected infrastructure.
In mid-2025, researchers observed a more advanced version of the Golang based malware. It includes an obfuscated IRC bot, stronger persistence method, process masking and rotating credential lists. Many of the usernames and passwords such as myuser, Abcd@123 or appeaser admin123456 are lifted from tutorials and vendor documents, that were later absorbed into large language model training data. Crypto themed usernames like cryptouser and crypto and admin focused names like root and wordpress are also used. As researchers noted “The attackers reuse a small, stable password pool for each campaign, refresh per-task lists from that pool and rotate usernames and niche additions several times a week to pursue different targets.”
Once attackers gain access, they typically upload a PHP web shell through exposed FTP services on XAMPP servers. The infected systems are then used to brute force other servers, host malware payloads or act as backup command and control nodes. In one case, a compromised host was used to scan TRON blockchain addresses through tronscanapi[.]com to identify wallets with non-zero balances pointing to direct targeting of blockchain projects. Researchers warned “GoBruteforcer exemplifies a broader and persistent problem: The combination of exposed infrastructure, weak credentials and increasingly automated tools,” adding that the scale of misconfigured servers keeps the botnet effective.
Separately, a threat intelligence firm reported large scale internet scans for misconfigured proxy servers that could expose access to commercial LLM services. One campaign between October 2025 and January 2026 abused SSRF flaws tied to Ollama and Twilio and may be linked to researchers. Another campaign starting December 28, 2025 launched 80469 sessions in eleven days probing over 73 LLM endpoints linked to major AI providers from just two IP addresses.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
