GoBruteforcer Returns: How AI Code Snippets Fueled a 50,000-Server Botnet

A sophisticated new variant of the GoBruteforcer botnet is on the loose, and it’s capitalizing on a thoroughly modern problem: the “mass reuse of AI-generated server deployment examples” that leave thousands of systems wide open to attack.

A new report from Check Point Research (CPR) details the 2025 evolution of this modular threat, which targets Linux servers running common services like MySQL, FTP, and phpMyAdmin. The researchers estimate that “more than 50,000 Internet-facing servers may be vulnerable” to this latest wave, which combines old-school brute-forcing with new-school evasion tactics.

While GoBruteforcer itself isn’t AI-powered, its success is fueled by the habits of developers using AI tools. The report highlights that Large Language Models (LLMs) trained on public documentation often regurgitate configuration snippets with weak defaults.

“We asked two mainstream LLMs to help us create a MySQL instance in Docker. Both produced near-identical snippets with stock username patterns,” the researchers noted.

GoBruteforcer BotnetAI <a href= — GoBruteforcer infection chain | Image: Check Point

Attackers know this. The botnet’s credential lists are packed with these exact “stock” usernames—like appuser, myuser, and appuser1234—allowing them to breeze past security on servers deployed by inexperienced or rushed administrators. “Although we do not think that GoBruteforcer specifically targets AI-assisted server installations, the widespread use of LLMs may help the botnet’s attacks become more successful.”

The campaign isn’t just about resource hijacking; it’s financially motivated. CPR observed the botnet specifically targeting databases of crypto and blockchain projects.

On one compromised host, investigators found a treasure trove of theft tools: “a TRON balance scanner and TRON and BSC ‘token-sweep’ utilities, together with a file containing ~23,000 TRON addresses.”

Blockchain analysis confirmed the worst: “On-chain transaction analysis involving the botnet operators’ recipient wallets shows that at least some of these financially motivated attacks were successful.”

First spotted in 2023, the 2025 variant of GoBruteforcer has received a major under-the-hood upgrade. The IRC bot module, previously written in C, has been “rewritten entirely in Go” and heavily obfuscated.

It now employs clever process-masking tricks to hide in plain sight. “To change the short process name, the malware calls prctl with the PR_SET_NAME operation,” masking itself as a legitimate system process like init to fool administrators glancing at their task managers.

The botnet is also surprisingly selective about its targets. It employs an “intelligent” IP generation system that filters out dangerous neighborhoods.

“A notable feature is a built-in blacklist of 13 specific /8 blocks historically associated with the U.S. Department of Defense (DoD)… By skipping them, the bot avoids drawing unnecessary attention and likely sidesteps government-run honeypots.”

It similarly avoids major cloud provider ranges like AWS, deeming them “low-priority or high-risk” due to their aggressive abuse response teams.

GoBruteforcer serves as a stark reminder that advanced exploits aren’t always necessary when basic hygiene fails.

“GoBruteforcer is a perfect example of how threat actors use ‘low hanging fruit’ such as seemingly unsophisticated tactics… to compromise large numbers of internet-facing systems with relatively little effort.”

Organizations are urged to look beyond the default configurations provided by AI assistants and ensure their internet-facing services are locked down with robust authentication.

Rate this post

Related Posts:

Found this helpful?

Leave a Reply Cancel reply