We have observed an active campaign targeting internet-exposed instances running ComfyUI, a popular and stable distribution platform, to participate in cryptocurrency mining and proxy botnets.
“A dedicated Python scanner continuously sweeps across key cloud IP ranges looking for vulnerable targets and automatically installs malicious nodes via ComfyUI-Manager if exploitable nodes are not already present,” Censys security researcher Mark Ellzey said in a report published Monday.
The core of this campaign is to systematically scan exposed ComfyUI instances and exploit misconfigurations that allow remote code execution on unauthenticated deployments via custom nodes.
Upon successful exploitation, the compromised host will be added to a cryptomining operation that mines Monero via XMRig, a cryptomining operation that mines Conflux via lolMiner, and the Hysteria V2 botnet. Both are centrally managed through a Flask-based command and control (C2) dashboard.
According to data from attack surface management platforms, there are over 1,000 publicly accessible ComfyUI instances. Although not a huge number, they are sufficient for threat actors to conduct opportunistic campaigns for financial gain.
Censys said it discovered the campaign last month after identifying Open Directory on 77.110.96[.]200, an IP address associated with Aeza Group, a Bulletproof hosting service provider. This directory allegedly contained a set of tools to perform previously undocumented attacks.
It includes two reconnaissance tools to enumerate exposed ComfyUI instances across your cloud infrastructure, identify instances where ComfyUI-Manager is installed, and shortlist instances susceptible to code execution exploits.
One of the two scanner Python scripts also acts as an exploitation framework that executes code armed with custom ComfyUI nodes. This technique, some aspects of which were documented by Snyk in December 2024, takes advantage of the fact that some custom nodes accept raw Python code as input and run it directly without requiring authentication.
As a result, an attacker can scan exposed ComfyUI instances for specific custom node families that support arbitrary code execution, effectively turning the service into a channel for delivering attacker-controlled Python payloads. Here are some of the custom node families that attacks specifically look for:
Vova75Rus/ComfyUI-Shell-Executor filliptm/ComfyUI_Fill-Nodes seanlynch/srl-nodes ruiqutech/ComfyUI-RuiquNodes
“If the target node does not exist, the scanner checks whether ComfyUI-Manager is installed,” Censys said. “If available, install the vulnerable node package itself and retry the exploit.”
Please note that ‘ComfyUI-Shell-Executor’ is a malicious package created by the attacker to retrieve the next stage shell script (‘ghost.sh’) from the aforementioned IP address. Once code execution is captured, the scanner removes evidence of the exploit by clearing the ComfyUI prompt history.
The new version of the scanner also includes a persistence mechanism that downloads the shell script every 6 hours and reruns the exploit workflow every time ComfyUI is started.
The shell script disables shell history, kills conflicting miners, starts the miner process, uses the LD_PRELOAD hook to hide the watchdog process, and ensures that the miner process is revived if it dies.
Additionally, the minor program is copied to multiple locations so that even if the primary installation directory is wiped out, it can be launched from one of the fallback locations. The third mechanism used by the malware to ensure persistence is to use the “chattr +i” command to lock the minor binary so that it cannot be deleted, modified, or renamed, even by the root user.
“There is also dedicated code targeting a specific competitor, ‘Hisana’ (referenced throughout the code), which appears to be another mining botnet,” Censys explained. “Rather than just killing, ghost.sh overrides its configuration and redirects Hisana’s mining output to its own wallet address, occupying Hisana’s C2 port (10808) with a dummy Python listener, so Hisana cannot be restarted.”
Infected hosts are hijacked using a Flask-based C2 panel. This allows operators to push or deploy additional payloads, including shell scripts that install Hysteria V2, with the goal of selling compromised nodes as proxies.
Further analysis of the attacker’s shell command history revealed an SSH login attempt as root to IP address 120.241.40.[.]237 is related to an ongoing worm campaign targeting publicly available Redis database servers.
“Many of the tools in this repository appear to have been hastily assembled, and the overall tactics and techniques may initially suggest an unsophisticated operation,” Censys said. “Specifically, operators identify exposed ComfyUI instances running custom nodes, determine which of those nodes expose insecure functionality, and use them as a conduit for remote code execution.”
“The infrastructure accessed by the operators supports the idea that this activity is part of a broader campaign focused on discovering and exploiting exposed services, and then deploying custom tools for persistence, scanning, or monetization.”
This discovery coincides with the emergence of multiple botnet campaigns in recent weeks.
It exploits command injection vulnerabilities in n8n (CVE-2025-68613) and Tenda AC1206 routers (CVE-2025-7544) and adds them to a Mirai-based botnet known as Zerobot. It exploits vulnerabilities in Apache ActiveMQ (CVE-2023-46604), Metabase (CVE-2023-38646), and React Server Components (CVE-2025-55182 aka React2Shell) to deliver Kinsing, a persistent malware used to mine cryptocurrencies and launch distributed denial of service (DDoS). attack It exploits a suspected zero-day vulnerability in fnOS Network Attached Storage (NAS) to target internet-exposed systems and embed DDoS malware called Netdragon. “NetDragon establishes an HTTP backdoor interface on the compromised device, allowing attackers to remotely access and control the infected system,” QiAnXin XLab said. “It hijacks the official Feiniu NAS system update domain by modifying the ‘hosts’ file, preventing the device from getting system updates or security patches.” Expanding RondoDox’s exploit list to 174 different vulnerabilities, it also moves its attack method from a “shotgun approach” to more targeted, recent flaws that are more likely to lead to infections. Deploys a new variant of Condi, a Linux malware that exploits known security vulnerabilities to turn compromised Linux devices into bots capable of conducting DDoS attacks. The binary references the string “QTXBOT”, which indicates either the name of the forked version or the internal project name. As part of an active cryptojacking operation called Monaco, it launches XMRig miners with brute force attacks against SSH servers to generate illicit crypto revenue. Weak SSH passwords are also used as an attack vector to deploy malware that establishes persistence, kills competing miners, connects to external servers, performs ZMap scans, and propagates malware to other vulnerable hosts in a worm-like manner.
“Botnet activity has skyrocketed over the past year, with Spauhaus noting that it increased by 26% and 24% in two six-month periods, January to June 2025 and July to December 2025, respectively,” Pulsdive said.
“This increase is related to bots and nodes emerging in the United States. This increase also stems from the availability of source code for botnets such as Mirai. Mirai variants and variants are responsible for some of the largest DDoS attacks by volume.”
Source link
