New GoBruteforcer malware targets phpMyAdmin, MySQL, FTP and Postgres servers

New GoBruteforcer malware targets phpMyAdmin, MySQL, FTP and Postgres servers

Researchers at Palo Alto Networks’s Unit 42 have discovered a new Go-based malware strain that is being used to attack web servers running phpMyAdmin, MySQL, FTP and Postgres service.

Dubbed “GoBruteforcer,” the malware uses brute-force techniques to compromise servers and ensnare them into a botnet. The malware is compatible with x86, x64, and ARM architectures.

“For successful execution, the samples require special conditions on the victim system like specific arguments being used and targeted services already being installed (with weak passwords),” according to Unit 42’s report.

The researchers were not able to identify the initial vector of the GoBruteforcer and the PHP web shell campaign. They believe that GoBruteforcer is still under active development meaning that initial infection vectors or payloads could change in the near future.

For each targeted IP address, the malware starts scanning for phpMyAdmin, MySQL, FTP, and Postgres services. After detecting an open port accepting connections, it will attempt to log in using hard-coded credentials.

“GoBruteforcer chose a Classless Inter-Domain Routing (CIDR) block for scanning the network during the attack, and it targeted all IP addresses within that CIDR range. The threat actor chose CIDR block scanning as a way to get access to a wide range of target hosts on different IPs within a network instead of using a single IP address as a target,” the research ream explains.

Once the target server is compromised, GoBruteforcer deploys an IRC bot containing the attacker’s URL and attempts to query the victim system using a PHP web shell already deployed on the server.

“Web servers have always been a lucrative target for threat actors. Weak passwords could lead to serious threats as web servers are an indispensable part of an organization,” the researchers said. “Malware like GoBruteforcer takes advantage of weak (or default) passwords. The GoBruteforcer bot comes with a multiscan capability, which gives it a wide range of targets that it can use to get into a network.”

Back to the list

Latest Posts

Researchers caught embedding hidden AI prompts to sway research reviewers

Researchers caught embedding hidden AI prompts to sway research reviewers

The investigation analyzed English-language preprints published on the research platform arXiv and found concealed AI instructions in 17 papers.
7 July 2025
Brazilian programmer arrested for role in $185 million bank hack

Brazilian programmer arrested for role in $185 million bank hack

João Nazareno Roque, a junior back-end developer at C&M, was allegedly recruited by hackers in a bar in São Paulo.
7 July 2025
APT36 cyber-espionage campaign targeting Indian defense sector via BOSS Linux

APT36 cyber-espionage campaign targeting Indian defense sector via BOSS Linux

More recently, APT36 has shifted its focus to Linux-based environments.
7 July 2025