A botnet known as GoBruteforcer is targeting poorly secured servers in attacks linked to cryptocurrency theft, according to Check Point. The company said the malware is being used to compromise exposed Linux systems through brute force password guessing, then reuse those machines to expand the botnet and support further intrusions.
Check Point said GoBruteforcer scans the internet for publicly accessible services that are commonly misconfigured or protected with weak credentials. These include database and administration tools and other server services that can be reached remotely. Once a target is identified, the botnet attempts repeated login combinations until it gains access. Compromised systems are then used as additional nodes to conduct scanning and brute force activity against new targets.
The malware is written in the Go programming language and is designed to run across a range of Linux environments. Check Point said the operators focus on systems where basic security controls have not been applied, such as unchanged default passwords, weak password policies, and unnecessary services exposed to the internet. The botnet’s success depends on predictable credentials and open access to management interfaces.
After gaining access, GoBruteforcer can install additional components and maintain persistence, allowing the attackers to retain control over the server. Check Point said the campaign is linked to activity aimed at identifying and accessing crypto-related infrastructure, including services that may store wallet information or provide pathways to transfer digital assets. The company said the attacks can lead to unauthorised transactions if wallet credentials or access keys are obtained.
The botnet’s activity also increases risk beyond the immediate target. Servers that are compromised may be used as part of a wider network to launch new attacks, hide the origin of malicious traffic, and increase the scale of brute force attempts. Check Point said this can make detection more difficult for defenders, particularly when the infected systems are legitimate servers that continue to operate normally.
The campaign highlights how basic security weaknesses remain a common entry point for cybercrime. Check Point said organisations can reduce exposure by disabling unnecessary public-facing services, restricting administrative access, enforcing strong and unique passwords, and monitoring for repeated login failures. Regular patching and review of exposed services are also important for limiting opportunities for automated attacks.
Check Point said GoBruteforcer reflects a broader pattern of attackers focusing on infrastructure that is easy to compromise and capable of supporting further malicious activity. The company said the botnet remains active and continues to search for vulnerable systems.