Check Point Research has published an in-depth analysis of GoBruteforcer, a sophisticated malware campaign leveraging AI-generated lists of server default credentials and weak passwords to compromise internet-facing services. The campaign specifically targets servers for cryptocurrency mining operations, demonstrating the intersection of AI capabilities with traditional brute force attack methodologies.

The malware written in Go language scans for exposed services including phpMyAdmin, MySQL, FTP, Postgres, and SSH. What distinguishes GoBruteforcer is its use of AI-generated credential lists that extend beyond traditional password dictionaries. The lists incorporate service-specific default credentials, commonly used weak passwords, and variations that human-compiled lists typically miss.

Check Point analysis reveals that GoBruteforcer operates as a botnet with command and control infrastructure distributing scanning tasks across compromised nodes. Once a vulnerable server is identified and accessed, the malware deploys cryptocurrency mining software configured to funnel proceeds to attacker-controlled wallets. The campaign has compromised thousands of servers globally with particular concentration in regions with older infrastructure.

The AI component enables rapid adaptation to new targets. Researchers observed the malware updating its credential lists to incorporate newly discovered default passwords for emerging services and platforms. This adaptive capability significantly increases the threat compared to static brute force tools relying on outdated wordlists.

Organizations should audit internet-facing services for default credentials, implement account lockout policies, deploy intrusion detection for brute force patterns, and monitor for unexpected cryptocurrency mining activity. Check Point recommends blocking known GoBruteforcer infrastructure at the network level and ensuring all services require strong authentication.