Ever wonder why your cloud-hosted AI tools feel like sitting ducks in a digital shooting gallery?
Exposed ComfyUI instances—over 1,000 of them, ripe for the picking—have sparked a cryptomining botnet campaign that’s equal parts clever and crude. ComfyUI, that go-to Stable Diffusion platform for crafting images from prompts, isn’t just a creative playground anymore. It’s a gateway for attackers wielding a purpose-built Python scanner, sweeping cloud IP ranges like a vacuum cleaner on steroids.
Censys researcher Mark Ellzey nailed it in his Monday report:
“A purpose-built Python scanner continuously sweeps major cloud IP ranges for vulnerable targets, automatically installing malicious nodes via ComfyUI-Manager if no exploitable node is already present.”
And here’s the kicker—this isn’t some zero-day wizardry. It’s a straight-up misconfiguration exploit. Unauthenticated ComfyUI deployments let remote code execution slip through custom nodes. Attackers probe for families like Vova75Rus/ComfyUI-Shell-Executor or filliptm/ComfyUI_Fill-Nodes, feeding them raw Python payloads that execute without a password in sight.
Why Do ComfyUI Users Keep Leaving Doors Wide Open?
Look, devs love ComfyUI for its node-based workflow—drag, drop, generate trippy art or product mocks. But exposing it publicly? That’s begging for trouble. Data from attack surface scanners pegs the count at north of 1,000 live instances. Not a flood, sure, but enough for opportunistic hustlers to mine Monero with XMRig and Conflux via lolMiner, then flip the hosts into a Hysteria V2 proxy botnet.
The scanner’s no slouch. It reconnoiters clouds, IDs ComfyUI-Manager installs, shortlists the vulnerable. No juicy nodes? It’ll shoehorn in a malicious one—ComfyUI-Shell-Executor, their own Frankenstein package. That bad boy pulls ‘ghost.sh’ from a bulletproof host at 77.110.96[.]200, courtesy of Aeza Group.
Once in, cleanup’s automatic: prompt history wiped. Newer scanners add persistence—redownload every six hours, re-exploit on every ComfyUI restart. Ghost.sh? It nukes shell history, slays rival miners, fires up the payload. LD_PRELOAD tricks hide a watchdog; miners scatter to fallback dirs. And get this—‘chattr +i’ locks binaries immutable, even for root. Try deleting that.
But wait, there’s grudge-match drama.
How Does This Botnet Outsmart Rivals Like Hisana?
Ghost.sh doesn’t just kill competitors—it hijacks them. Spot ‘Hisana’ (another mining crew)? Overwrite its config, reroute pools to the attacker’s wallet, squat on port 10808 with a dummy listener. Ruthless. All orchestrated from a Flask C2 dashboard pushing commands, payloads, Hysteria V2 for proxy sales.
Censys stumbled on this via an open dir on that Aeza IP last month. Tooling’s there: dual recon scripts, exploitation framework. Hasty code, yeah—feels like a lone wolf or small crew—but effective. SSH logs even hint at crossover ops, worming Redis servers at 120.241.40[.]237.
Now, my take—and this is where it gets spicy. Remember Mirai in 2016? IoT devices everywhere, default creds, botnet Armageddon. ComfyUI’s the new frontier. AI tools exploding in popularity, rushed cloud deploys, custom nodes as RCE vectors. We’re seeing architectural rot: open-source extensibility prized over lockdown. Prediction? If vendors don’t bake auth into core (Snyk flagged this last December), we’ll see botnets graduating from opportunistic to targeted, hitting enterprise AI pipelines. Not hype—it’s the why behind the surge.
Censys calls it unsophisticated at first blush. Don’t buy it. This op’s got legs: multi-coin mining, proxy monetization, anti-forensic tricks. Corporate spin might downplay as ‘misconfigs,’ but that’s dodging the real shift—AI infra’s now botnet fodder, just like routers a decade ago.
Exploitation flow’s surgical. Scanner pings instance. Checks nodes. Misses? Install via manager. Retry. Shell drops, persists, phones home. C2 issues Hysteria: tun2socks, fake certs, obfs—proxies ready for dark markets.
Users? Scan your setups. ComfyUI-Manager’s a double-edge: handy, but auto-installs scream risk. Firewall unauth access. Vet custom nodes like you’d vet alley deals.
And the ecosystem? Stable Diffusion’s wild west—thousands of nodes on Civitai, GitHub. Attackers game the repo flood. One bad package, and boom.
This botnet’s small now. But scale it—cloud credits flowing, proxies renting. Financial bleed’s real.
What Makes ComfyUI Such a Perfect Botnet Launchpad?
Short answer: extensibility kills. Nodes meant for shell exec or fills? Hand ‘em Python, they run it. No sandbox. It’s like giving strangers your house keys ‘cause they look creative.
Persistence pyramid seals it: multi-loc copies, immutable flags, timed re-drops. Watchdog revives miners post-kill. Hisana hijack? Genius turf war.
Flask C2’s lightweight—web UI for commands. SSH history shows ambition: Redis worms next?
Deep dive reveals haste: comments in Russian, quick-and-dirty paths. Yet it works. That’s the terror—low-bar entry for mid-tier crews.
Historical parallel? Mirai 2.0 for AI devs. Back then, telnet brute-force. Now, node poisoning. Shift’s underway: guard your generators.
🧬 Related Insights
- Read more: 84% of Attacks Hijack Your Own Tools – And You’re Still Blind
- Read more: North Korea Poisons Axios NPM with RATs in Bold Supply Chain Hit
Frequently Asked Questions
What is ComfyUI and why is it targeted?
ComfyUI’s a node-based UI for Stable Diffusion AI image gen. Attackers love its exposed cloud instances—easy RCE via custom nodes, perfect for mining bots.
How can I secure my ComfyUI setup?
Authenticate it fully, firewall public access, audit custom nodes, disable ComfyUI-Manager auto-installs. Run behind VPN.
Is this botnet just about mining or more?
Mining Monero/Conflux upfront, but Hysteria V2 turns hosts into rentable proxies. C2 hints at payload flexibility.
