As reported by The Hacker News, a sophisticated attack campaign is actively targeting internet-exposed instances of ComfyUI, a popular platform for stable diffusion models, to integrate them into a malicious cryptocurrency mining and proxy botnet.Threat actors are employing a custom Python scanner that continuously probes cloud IP ranges for vulnerable ComfyUI deployments. The exploitation leverages a misconfiguration in unauthenticated instances, allowing remote code execution through custom nodes. Once compromised, these servers are enlisted to mine Monero and Conflux cryptocurrencies using XMRig and lolMiner, respectively. Additionally, they are incorporated into a Hysteria V2 botnet, all managed via a Flask-based command-and-control dashboard. The campaign installs malicious nodes, often via ComfyUI-Manager, and employs techniques like disabling shell history and using "chattr +i" for persistence. The malware also actively targets and disrupts competing mining operations.This campaign highlights the growing trend of exploiting open-source AI tools for illicit activities. With over 1,000 publicly accessible ComfyUI instances identified, the potential for financial gain incentivizes such opportunistic attacks. Source: The Hacker News
Security Operations, AI/ML, Threat Intelligence
ComfyUI instances hijacked for cryptomining and proxy botnet

(Adobe Stock)
An In-Depth Guide to AI
Get essential knowledge and practical strategies to use AI to better your security program.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



