Date: 01/08/2026
Severity: High
Summary
GoBruteforcer is a Linux-based botnet that converts compromised servers into distributed scanners and password brute-force nodes targeting internet-exposed services such as phpMyAdmin, MySQL, PostgreSQL, and FTP. The malware uses a two-stage toolkit—an IRC-based control bot and a separate bruteforcer—to remotely execute commands, harvest weak credentials, steal data, sell access, and expand the botnet. A more advanced 2025 variant, rewritten in Go, introduces heavy obfuscation, stronger persistence, process-masking, and dynamic credential lists, highlighting the growing risk from misconfigured servers, weak passwords, and automation-driven infrastructure abuse.
Indicators of Compromise (IOC) List
Urls/Domains | fi.warmachine.su xyz.yuzgebhmwu.ru pool.breakfastidentity.ru pandaspandas.pm my.magicpandas.fun pandaspandas.pm |
IP Address | 190.14.37.10 93.113.25.114 |
Hash | 7423b6424b26c7a32ae2388bc23bef386c30e9a6acad2b63966188cb49c283ad
8fd41cb9d73cb68da89b67e9c28228886b8a4a5858c12d5bb1bffb3c4addca7c
bd219811c81247ae0b6372662da28eab6135ece34716064facd501c45a3f4c0d
b0c6fe570647fdedd72c920bb40621fdb0c55ed217955557ea7c27544186aeec
ab468da7e50e6e73b04b738f636da150d75007f140e468bf75bc95e8592468e5
4fbea12c44f56d5733494455a0426b25db9f8813992948c5fbb28f38c6367446
64e02ffb89ae0083f4414ef8a72e6367bf813701b95e3d316e3dfbdb415562c4
c7886535973fd9911f8979355eae5f5abef29a89039c179842385cc574dfa166
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "fi.warmachine.su" or siteurl like "fi.warmachine.su" or url like "fi.warmachine.su" or domainname like "pool.breakfastidentity.ru" or siteurl like "pool.breakfastidentity.ru" or url like "pool.breakfastidentity.ru" or domainname like "xyz.yuzgebhmwu.ru" or siteurl like "xyz.yuzgebhmwu.ru" or url like "xyz.yuzgebhmwu.ru" or domainname like "pandaspandas.pm" or siteurl like "pandaspandas.pm" or url like "pandaspandas.pm" or domainname like "my.magicpandas.fun" or siteurl like "my.magicpandas.fun" or url like "my.magicpandas.fun" |
Detection Query 2 : | dstipaddress IN ("190.14.37.10","93.113.25.114") or srcipaddress IN ("190.14.37.10","93.113.25.114") |
Detection Query 3 : | sha256hash IN ("7423b6424b26c7a32ae2388bc23bef386c30e9a6acad2b63966188cb49c283ad","4fbea12c44f56d5733494455a0426b25db9f8813992948c5fbb28f38c6367446","8fd41cb9d73cb68da89b67e9c28228886b8a4a5858c12d5bb1bffb3c4addca7c","bd219811c81247ae0b6372662da28eab6135ece34716064facd501c45a3f4c0d","b0c6fe570647fdedd72c920bb40621fdb0c55ed217955557ea7c27544186aeec","ab468da7e50e6e73b04b738f636da150d75007f140e468bf75bc95e8592468e5","64e02ffb89ae0083f4414ef8a72e6367bf813701b95e3d316e3dfbdb415562c4","c7886535973fd9911f8979355eae5f5abef29a89039c179842385cc574dfa166")
|
Reference:
https://research.checkpoint.com/2026/inside-gobruteforcer-ai-generated-server-defaults-weak-passwords-and-crypto-focused-campaigns/