{
	"id": "7ee779db-4110-4ecc-858a-d49dd6795cf8",
	"created_at": "2026-04-06T01:31:37.355798Z",
	"updated_at": "2026-04-10T13:11:45.768381Z",
	"deleted_at": null,
	"sha1_hash": "ecab38e54a9ff8a7ac8d1afedd117e96c3df0814",
	"title": "New Golang brute forcer discovered amid rise in e-commerce attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1225588,
	"plain_text": "New Golang brute forcer discovered amid rise in e-commerce\r\nattacks\r\nBy Jérôme Segura\r\nPublished: 2019-02-25 · Archived: 2026-04-06 00:39:54 UTC\r\nE-commerce websites continue to be targeted by online criminals looking to steal personal and payment\r\ninformation directly from unaware shoppers. Recently, attacks have been conducted via skimmer, which is a piece\r\nof code that is either directly injected into a hacked site or referenced externally. Its purpose is to watch for user\r\ninput, in particular around online shopping carts, and send the perpetrators that data, such as credit card numbers\r\nand passwords, in clear text.\r\nCompromising e-commerce sites can be achieved in more than one way. Vulnerabilities in popular Content\r\nManagement Systems (CMSes) like Magento, as well as in various plugins are commonly exploited these days.\r\nBut because many website owners still use weak passwords, brute force attacks where multiple logins are\r\nattempted are still a viable option.\r\nOur investigation started following the discovery of many Magento websites that were newly infected. We pivoted\r\non the domain name used by the skimmer and found a connection to a new piece of malware that turned out to be\r\na brute forcer for Magento, phpMyAdmin, and cPanel. While we can’t ascertain for sure whether this is how the\r\nskimmer was injected, we believe this may be one of many campaigns currently going after e-commerce sites.\r\nCompromised website\r\nThe malicious code was found injected directly into the site’s homepage, referencing an external piece of\r\nJavaScript. This means that the shopping site had been compromised either via a vulnerability or by brute forcing\r\nthe administrator password.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/02/new-golang-brute-forcer-discovered-amid-rise-e-commerce-attacks/\r\nPage 1 of 11\n\nThe online store is running the Magento CMS and using the OneStepCheckout library to process customers’\r\nshopping carts. As the victim enters their address and payment details, their data is exfiltrated via a POST request\r\nwith the information in Base64 format to googletagmanager[.]eu. This domain has been flagged before as part of\r\ncriminal activities related to the Magecart threat groups.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/02/new-golang-brute-forcer-discovered-amid-rise-e-commerce-attacks/\r\nPage 2 of 11\n\nUsing VirusTotal Graph, we found a connection between this e-commerce site and a piece of malware written in\r\nGolang, more specifically a network query from the piece of malware to the compromised website. Expanding on\r\nit, we saw that the malware was dropped by yet another binary written in Delphi. Perhaps more interestingly, this\r\nopened up another large set of domains with which the malware communicates.\r\nPayload analysis\r\nDelphi downloader\r\nThe first part is a downloader we detect as Trojan.WallyShack that has two layers of packing. The first layer is\r\nUPX. After unpacking it with the default UPX, we get the second layer: an underground packer using process\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/02/new-golang-brute-forcer-discovered-amid-rise-e-commerce-attacks/\r\nPage 3 of 11\n\nhollowing.\r\nThe downloader is pretty simple. First, it collects some basic information about the system, and then it beacons to\r\nthe C2. We can see that the domain names for the panels are hardcoded in the binary:\r\nThe main goal of this element is to download and run a payload file:\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/02/new-golang-brute-forcer-discovered-amid-rise-e-commerce-attacks/\r\nPage 4 of 11\n\nGolang payload\r\nHere the dropped payload installs itself in the Startup folder, by first dumping a bash script in %TEMP%, which is\r\nthen deployed under the Startup folder. The sample is not packed, and looking inside, we can find artifacts\r\nindicating that it was written in Golang version 1.9. We detect this file as Trojan.StealthWorker.GO.\r\nThe procedure of reversing will be similar to what we have done before with another Golang sample. Looking at\r\nthe functions with prefix “main_”,  we can distinguish the functions that were part of the analyzed binary, rather\r\nthan part of statically-linked libraries.\r\nWe found several functions with the name “Brut,” suggesting this piece of malware is dedicated to brute forcing.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/02/new-golang-brute-forcer-discovered-amid-rise-e-commerce-attacks/\r\nPage 5 of 11\n\nThis is the malware sample that communicated with the aforementioned compromised e-commerce site. In the\r\nfollowing section, we will review how communication and tasks are implemented.\r\nBot communication and brute forcing\r\nUpon execution, the Golang binary will connect to 5.45.69[.]149. Checking that IP address, we can indeed see a\r\nweb panel:\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/02/new-golang-brute-forcer-discovered-amid-rise-e-commerce-attacks/\r\nPage 6 of 11\n\nThe bot proceeds to report the infected computer is ready for a new task via a series of HTTP requests announcing\r\nitself and then receiving instructions. You can see below how the bot will attempt to brute force Magento sites\r\nleveraging the /downloader/directory point of entry:\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/02/new-golang-brute-forcer-discovered-amid-rise-e-commerce-attacks/\r\nPage 7 of 11\n\nBrute force attacks can be quite slow given the number of possible password combinations. For this reason,\r\ncriminals usually leverage CMS or plugin vulnerabilities instead, as they provide a much faster return on\r\ninvestment. Having said that, using a botnet to perform login attempts allows threat actors to distribute the load\r\nonto a large number of workers. Given that many people are still using weak passwords for authentication, brute\r\nforcing can still be an effective method to compromise websites.\r\nAttack timeframe and other connections\r\nWe found many different variants of that Golang sample, the majority of them first seen in VirusTotal in early\r\nFebruary (hashes available in the IOCs section below).\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/02/new-golang-brute-forcer-discovered-amid-rise-e-commerce-attacks/\r\nPage 8 of 11\n\nChecking on some of these other samples, we noticed that there’s more than just Magento brute forcing. Indeed,\r\nsome bots are instead going after WordPress sites, for example. Whenever the bot checks back with the server, it\r\nwill receive a new set of domains and passwords. Here’s an example of brute forcing phpMyAdmin:\r\nPOST: set_session=\u0026pma_username=Root\u0026pma_password=Administ..\u0026server=1\u0026target= index.php\u0026token=\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/02/new-golang-brute-forcer-discovered-amid-rise-e-commerce-attacks/\r\nPage 9 of 11\n\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0\r\nAs we were investigating this campaign, we saw a tweet by Willem de Groot noting a recent increase in skimmers\r\nrelated to googletagmanager[.]eu, tied to Adminer, a database management utility. The shopping site on which we\r\nstarted our research was compromised only a few days ago. Without server logs and the ability to perform a\r\nforensic investigation, we can only assume it was hacked in one of many possible scenarios, including the\r\nAdminer/MySQL flaw or brute forcing the password.\r\nMultiple weaknesses\r\nThere are many different weaknesses in this ecosystem that can be exploited. From website owners not being\r\ndiligent with security updates or their passwords, to end users running infected computers turned into bots and\r\nunknowingly helping to hack web portals.\r\nAs always, it is important to keep web server software up-to-date and augment this protection by using a web\r\napplication firewall to fend off new attacks. There are different methods to thwart brute force attacks, including\r\nthe use of the .htaccess file to restrict which IP address is allowed to log in.\r\nSkimmers are a real problem for online shoppers who are becoming more and more wary of entering their\r\npersonal information into e-commerce websites. While victims may not know where and when theft happened, it\r\ndoes not bode well for online merchants when their platform has been compromised.\r\nMalwarebytes detects the malware used in these attacks and blocks the skimmer gate.\r\nWith additional contributions from @hasherezade.\r\nIndicators of Compromise (IOCs)\r\nSkimmer domain\r\ngoogletagmanager[.]eu\r\nDelphi downloader\r\ncbe74b47bd7ea953268b5df3378d11926bf97ba72d326d3ce9e0d78f3e0dc786\r\nDelphi C2\r\nsnaphyteplieldup[.]xyz tolmets[.]info serversoftwarebase[.]com\r\nGolang bruteforcer\r\nfdc3e15d2bc80b092f69f89329ff34b7b828be976e5cbe41e3c5720f7896c140\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/02/new-golang-brute-forcer-discovered-amid-rise-e-commerce-attacks/\r\nPage 10 of 11\n\nSimilar Golang bruteforcers\r\n46fd1e8d08d06cdb9d91e2fe19a1173821dffa051315626162e9d4b38223bd4a 05073af551fd4064cced8a8b13a4491125b3\r\nC2 server\r\n5.45.69[.]149:7000\r\nSource: https://blog.malwarebytes.com/threat-analysis/2019/02/new-golang-brute-forcer-discovered-amid-rise-e-commerce-attacks/\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/02/new-golang-brute-forcer-discovered-amid-rise-e-commerce-attacks/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-analysis/2019/02/new-golang-brute-forcer-discovered-amid-rise-e-commerce-attacks/"
	],
	"report_names": [
		"new-golang-brute-forcer-discovered-amid-rise-e-commerce-attacks"
	],
	"threat_actors": [
		{
			"id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed",
			"created_at": "2023-01-06T13:46:38.814104Z",
			"updated_at": "2026-04-10T02:00:03.110104Z",
			"deleted_at": null,
			"main_name": "MageCart",
			"aliases": [],
			"source_name": "MISPGALAXY:MageCart",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775439097,
	"ts_updated_at": 1775826705,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ecab38e54a9ff8a7ac8d1afedd117e96c3df0814.pdf",
		"text": "https://archive.orkl.eu/ecab38e54a9ff8a7ac8d1afedd117e96c3df0814.txt",
		"img": "https://archive.orkl.eu/ecab38e54a9ff8a7ac8d1afedd117e96c3df0814.jpg"
	}
}