The AI Default Trap: GoBruteforcer Botnet Hijacks 50K Servers via LLM Templates

Security researchers have documented a nascent surge in offensives orchestrated by the GoBruteforcer botnet, specifically targeting the infrastructure of cryptocurrency and blockchain enterprises. The primary casualties of this campaign are internet-exposed databases and administrative interfaces, many of which appear to have been configured using boilerplate templates generated by artificial intelligence.

GoBruteforcer (or GoBrut) is a Go-based botnet meticulously engineered to perform credential-stuffing attacks against publicly accessible services, including FTP, MySQL, PostgreSQL, and phpMyAdmin. Leveraging a network of compromised Linux servers, the malware scans arbitrary IP ranges to propagate its malicious footprint via brute-force incursions.

According to assessments by Check Point, upwards of 50,000 servers currently reside in a state of vulnerability to these maneuvers. Frequently, the initial point of ingress is an FTP service bundled within XAMPP installations, which often retain default configurations and rudimentary credentials if the administrator fails to implement rigorous security hardening.

Upon securing access to an FTP service under generic accounts—such as daemon or nobody—adversaries typically deploy a web shell into the site’s directory. A similar outcome is often achieved through misconfigured MySQL servers or vulnerable phpMyAdmin consoles. Once established, the infection chain culminates in the deployment of a loader, an IRC bot, and finally, the brute-force module itself.

The active phase of the incursion commences after a deliberate latency of 10 to 400 seconds. On x86_64 architectures, the malware initiates up to 95 parallel threads that scan public IPv4 ranges while scrupulously avoiding private networks, AWS cloud infrastructure, and governmental digital assets. Each thread systematically attempts to authenticate against target services using a hardcoded registry of 22 credential pairs—combinations that align perfectly with the default accounts prevalent in hosting environments like XAMPP.

A salient observation in the Check Point report is that the latest GoBruteforcer campaigns are fueled by the widespread adoption of configuration templates authored by Large Language Models (LLMs). These AI-generated examples frequently feature predictable usernames such as appuser, myuser, or operator. When these placeholders find their way into production Docker and DevOps environments, they provide a streamlined path for automated brute-force attacks.

Furthermore, legacy server bundles like XAMPP, which continue to ship with open FTP ports and standard credentials, remain a significant liability. Such installations grant attackers direct access to the webroot, facilitating the unimpeded hosting of malicious payloads.

In one analyzed instance, a compromised server was repurposed for the automated exfiltration of digital assets. Researchers discovered tools designed to scan wallets on the TRON and Binance Smart Chain networks. Utilizing a database of approximately 23,000 TRON addresses, the attackers employed automated scripts to identify and subsequently drain wallets with non-zero balances.

System administrators are urged to transcend the blind replication of AI-generated deployment instructions. It is imperative to utilize non-standard usernames and complex, unique passphrases. Moreover, organizations should audit the internet visibility of FTP, phpMyAdmin, and database services, while considering the replacement of antiquated stacks like XAMPP with modern, security-centric alternatives.