The GoBruteforcer botnet has been discovered to be exploiting a surprisingly current weakness: the widespread reuse of AI-generated server configurations. This increasingly widespread practice is effectively leaving tens of thousands of systems exposed to automated attacks.
According to a recent report from Check Point Research (CPR) , the threat has evolved significantly by 2025, targeting Linux servers hosting common services such as MySQL, FTP, and phpMyAdmin .
Analysts estimate that more than 50,000 Internet-accessible servers may be vulnerable to this new wave, which combines traditional brute-force techniques with sophisticated evasion mechanisms.
GoBruteforcer does not directly use artificial intelligence. However, its success is closely tied to how developers employ Large Language Models (LLMs) . Many of these models, trained on public documentation and open source repositories, tend to suggest default configurations with weak or predictable credentials .
Check Point researchers demonstrate this with a concrete example: when asking two different LLMs to generate a Docker configuration for MySQL , both produced almost identical snippets , with default and easily guessable usernames.
This predictability is gold for the botnet’s operators. The credential lists used by GoBruteforcer contain common usernames like appuser , myuser , or appuser1234 , allowing attackers to easily bypass the defenses of poorly managed servers.
As CPR points out, the botnet isn’t necessarily deliberately targeting AI-created installations, but the uncontrolled spread of copy-and-pasted configurations makes the attacks much more effective.
The campaign isn’t just about expanding the botnet. The motive is clearly financial . Analysts have observed a targeted interest in databases related to cryptocurrency and blockchain projects .
A veritable arsenal of cryptocurrency theft tools was discovered on one of the compromised systems: TRON scanners, utilities for token sweeping on TRON and BSC, and a file containing approximately 23,000 TRON addresses .
Analysis of on-chain transactions confirmed the worst suspicions: some of the attacks actually resulted in tangible profits for the botnet operators.
First detected in 2023, version 2025 of GoBruteforcer shows significant technical evolution. The bot’s IRC module, originally written in C, has been completely rewritten in Go and subjected to extensive obfuscation.
The malware now uses process masquerading techniques to disguise itself as system processes. By calling prctl with the PR_SET_NAME operation, the process can assume legitimate names such as init , making it more difficult to detect during superficial inspections.
GoBruteforcer doesn’t strike randomly. Its IP address generation system is designed to avoid networks considered “high risk.”
Specifically, the malware integrates a blacklist of 13 /8 blocks historically associated with the U.S. Department of Defense , likely to evade government honeypots and reduce the likelihood of attracting unwanted attention.
Similarly, large cloud providers like AWS are often excluded because they are perceived as highly surveillance environments, with particularly aggressive abuse response teams.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
