An active campaign has been observed targeting internet-exposed instances running ComfyUI, a popular stable diffusion platform, to enlist them into a cryptocurrency mining and proxy botnet.
“A purpose-built Python scanner continuously sweeps major cloud IP ranges for vulnerable targets, automatically installing malicious nodes via ComfyUI-Manager if no exploitable node is already present,” Censys security researcher Mark Ellzey said in a report published Monday.
The attack activity, at its core, systemically scans for exposed ComfyUI instances and exploits a misconfiguration that allows remote code execution on unauthenticated deployments through custom nodes.
Upon successful exploitation, the compromised hosts are added to a cryptomining operation that mines Monero via XMRig and Conflux via lolMiner, as well as to a Hysteria V2 botnet. Both of them are centrally managed through a Flask-based command-and-control (C2) dashboard.
Data from the attack surface management platforms shows that there are more than 1,000 publicly-accessible ComfyUI instances. While not a huge number, it’s sufficient for a threat actor to run opportunistic campaigns to reap financial gains.
Censys said it discovered the campaign last month after identifying an open directory on 77.110.96[.]200, an IP address associated with a bulletproofing hosting services provider, Aeza Group. The directory is said to have contained a previously undocumented set of tools to pull off the attacks.
This includes two reconnaissance tools to enumerate exposed ComfyUI instances across cloud infrastructure, identify those that have ComfyUI-Manager installed, and shortlist those that are susceptible to the code execution exploit.
One of the two scanner Python scripts also functions as an exploitation framework that weaponizes ComfyUI’s custom nodes to achieve code execution. This technique, some aspects of which were documented by Snyk in December 2024, takes advantage of the fact that some custom nodes accept raw Python code as input and run it directly without requiring any authentication.
As a result, an attacker can scan exposed ComfyUI instances for specific custom node families that support arbitrary code execution, effectively turning the service into a channel for delivering attacker-controlled Python payloads. Some of the custom node families that the attack particularly looks for are listed below –
- Vova75Rus/ComfyUI-Shell-Executor
- filliptm/ComfyUI_Fill-Nodes
- seanlynch/srl-nodes
- ruiqutech/ComfyUI-RuiquNodes
“If none of the target nodes are present, the scanner checks whether ComfyUI-Manager is installed,” Censys said. “If available, it installs a vulnerable node package itself, then retries exploitation.”
It’s worth noting that “ComfyUI-Shell-Executor” is a malicious package created by the attacker to fetch a next-stage shell script (“ghost.sh”) from the aforementioned IP address. Once code execution is obtained, the scanner removes evidence of the exploit by clearing the ComfyUI prompt history.
A newer version of the scanner also incorporates persistence mechanisms that cause the shell script to be downloaded every six hours and the exploit workflow to be re-executed every time ComfyUI is started.
The shell script, for its part, disables shell history, kills competing miners, launches the miner process, anduses the LD_PRELOAD hook to hide a watchdog process that ensures the miner process is revived in the event it gets terminated.
In addition, the miner program is copied to multiple locations so that even if the primary install directory gets wiped, it can be launched from one of the fallback locations. A third mechanism the malware uses to ensure persistence is the use of the “chattr +i” command to lock the miner binaries and prevent them from being deleted, modified, or renamed, even by the root user.
“There is also dedicated code targeting a specific competitor, ‘Hisana’ (which is referenced throughout the code), which appears to be another mining botnet,” Censys explained. “Rather than just killing it, ghost.sh overwrites its configuration to redirect Hisana’s mining output to its own wallet address, then occupies Hisana’s C2 port (10808) with a dummy Python listener so Hisana can’t restart.”
The infected hosts are commandeered by means of a Flask-based C2 panel, which allows the operator to push instructions or deploy additional payloads, including a shell script that installs Hysteria V2 with the likely goal of selling compromised nodes as proxies.
Further analysis of the attacker’s shell command history has revealed an SSH login attempt as root to the IP address 120.241.40[.]237, which has been linked to an ongoing worm campaign targeting exposed Redis database servers.
“Much of the tooling in this repository appears hastily assembled, and the overall tactics and techniques might initially suggest unsophisticated activity,” Censys said. “Specifically, the operator identifies exposed ComfyUI instances running custom nodes, determines which of those nodes expose unsafe functionality, and then uses them as a pathway to remote code execution.”
“The infrastructure accessed by the operator further supports the idea that this activity is part of a broader campaign focused on discovering and exploiting exposed services, followed by the deployment of custom tooling for persistence, scanning, or monetization.”
The discovery coincides with the emergence of multiple botnet campaigns in recent weeks –
- Exploitation of command injection vulnerabilities in n8n (CVE-2025-68613) and Tenda AC1206 routers (CVE-2025-7544) to add them to a Mirai-based botnet known as Zerobot.
- Exploitation of vulnerabilities in Apache ActiveMQ (CVE-2023-46604), Metabase (CVE-2023-38646), and React Server Components (CVE-2025-55182 aka React2Shell) to deliver Kinsing, a persistent malware used for cryptocurrency mining and launching Distributed Denial of Service (DDoS) attacks.
- Exploitation of a suspected zero-day vulnerability in fnOS Network Attached Storage (NAS) to target internet-exposed systems and implant them with a DDoS malware called Netdragon. “NetDragon establishes an HTTP backdoor interface on compromised devices, enabling attackers to remotely access and control the infected systems,” QiAnXin XLab said. “It tampers with the ‘hosts’ file to hijack the official Feiniu NAS system update domains, effectively preventing devices from obtaining system updates and security patches.”
- Expansion of RondoDox‘s exploit list to 174 different vulnerabilities, while shifting the attack methodology from a “shotgun approach” to more targeted and recent flaws that are more likely to lead to infections.
- Exploitation of known security vulnerabilities to deploy a new variant of Condi, a Linux malware that turns compromised linux devices into bots capable of conducting DDoS attacks. The binary references a string “QTXBOT,” either indicating the name of the forked version or the internal project name.
- Brute-force attacks against SSH servers to launch an XMRig miner and generate illicit cryptocurrency revenue as part of an active cryptojacking operation called Monaco. Weak SSH passwords have also been used as attack pathways to deploy malware that establishes persistence, kills competing miners, connects to an external server, and performs a ZMap scan to propagate the malware in a worm-like fashion to other vulnerable hosts.
“Botnet activity has surged over the last year, with Spauhaus noting 26% and 24% increases in the two six-month periods Jan – Jun 2025 and Jul – Dec 2025, respectively,” Pulsedive said.
“This increase is associated with bots and nodes appearing in the United States. The increase also stems from the availability of source code for botnets such as Mirai. Mirai offshoots and variants are responsible for some of the largest DDoS attacks by volume.”