Malware known as GoBruteforcer targets Postgres, MySQL, phpMyAdmin, and FTP (30th March 2023)

Ref# AL2023_23 | Date: Mar 30th 2023


A recently found Golang-based botnet malware searches for and attacks web servers running the phpMyAdmin, MySQL, FTP, and Postgres services. The malware operates with the ARM, x86, and x64 architectures. 


GoBruteforcer will attempt to break into insecure *nix devices by brute forcing accounts with weak or default passwords. The Malware needs specific conditions, such as the use of particular arguments and the installation of targeted services (with weak passwords), on the victims system in order to be successfully executed, according to the researchers.  

The malware begins searching for the phpMyAdmin, MySQL, FTP, and Postgres services for each targeted IP address. It will try to log in with hard-coded credentials once it discovers an open port that allows connections. Once inside, it launches a PHP web shell on servers hosting other targeted services or an IRC bot on compromised phpMyAdmin systems.  

GoBruteforcer will connect to its command-and-control server in the subsequent phase of the attack and wait for commands to be sent by the previously installed IRC bot or web shell. The botnet has a wide range of targets to infiltrate networks since it uses a multiscan module to discover potential victims within a Classless Inter-Domain Routing (CIDR). GoBruteforcer selects a CIDR block and will target all IP addresses within that range before searching for IP addresses to attack.  

The malware expands the scope of the assault by using CIDR block scanning to gain access to a wide variety of hosts on numerous IP addresses rather than focusing on a single IP address. GoBruteforcer is probably still in active development, and its developers anticipate that its users will modify their strategies and the malware”s capacity to target web servers while evading security measures. GoBruteforcer is still under development, thus things like the initial infection vectors or payloads might change soon. 

Indicators of Compromise 

Below are IOCS for the GoBruteforcer malware. 



Web shell 


Web shell 


Older version of GoBruteforcer 


IRC bot(x86) 


IRC bot(ARM) 


GoBruteforcer (x86_64) 


GoBruteforcer (x86_64) 


GoBruteforcer (x86_64) 


GoBruteforcer (x86_64) 


GoBruteforcer ARM(64-bit) 


GoBruteforcer ARM(64-bit) 


GoBruteforcer ARM(32-bit) 


GoBruteforcer (x86) 

URL and IP 

  • 5.253[.]84[.]159/x 

  • fi[.]warmachine[.]su 


The Guyana National CIRT urges the public to keep an eye out for and alert on these and any related IoCs. Moreover, we suggest that you: 

  • Normal education, awareness training, and phishing simulations rarely take into mind web browser cleanliness and MFA fatigue. Any lessons learned ought to be used and communicated.   

  • Prioritize and stop any indications connected to threat actors or attacks, by scanning for IOCs on your network. 

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary. 

PDF Download: GoBruteforcer targets Postgres, MySQL, phpMyAdmin and FTP.pdf