GoBruteforcer is a new botnet targeting databases of cryptocurrency and blockchain projects. It aims to brute-force user passwords for services like FTP, MySQL, PostgreSQL, and phpMyAdmin on Linux servers. The surge in these attacks stems from two main issues: the widespread use of AI-generated server examples that rely on common usernames and weak defaults, and the prevalence of legacy web stacks like XAMPP, which leave FTP and admin interfaces inadequately secured. First documented by Palo Alto Networks in March 2023, GoBruteforcer can infect Unix-like platforms across various architectures. The botnet deploys an IRC bot and a web shell for remote access while also fetching brute-force modules to scan for vulnerable systems. A report from Lumen Technologies in September 2025 revealed that infected bots were linked to another malware family, SystemBC. Check Point identified a more advanced version of the malware in mid-2025, which features an obfuscated IRC bot, improved persistence mechanisms, and a dynamic credential list utilizing common usernames and passwords often found in tutorials. The attack patterns include using exposed FTP services on XAMPP servers to upload PHP web shells, which then download the IRC bot. Once a host is compromised, it can run brute-force attempts, serve payloads to other systems, or act as a backup command-and-control center. Notably, compromised hosts have been used to query TRON blockchain addresses for non-zero balances, indicating a focus on blockchain projects. Check Point highlights the broader issue of misconfigured services and weak credentials, which continue to facilitate these attacks. In parallel, GreyNoise reported that threat actors are scanning the internet for misconfigured proxy servers that could grant access to commercial Large Language Model (LLM) services. Two campaigns have emerged: one exploiting server-side request forgery vulnerabilities targeting model pull functionalities and Twilio integrations, and another focused on identifying exposed LLM endpoints associated with major players like Google and OpenAI. Over 80,000 sessions were generated in just eleven days, underscoring the systematic reconnaissance efforts to find vulnerable API access points.