A large-scale botnet campaign is actively compromising publicly accessible ComfyUI instances – a popular web interface for the Stable Diffusion image generation framework. Attackers exploit misconfigured deployments and insecure custom nodes to achieve remote code execution, deploy cryptomining malware, and enroll compromised hosts into a botnet used both for mining and for selling proxy access.
Attack Campaign Targeting Exposed ComfyUI Instances
Automated scanning of cloud IP ranges
According to Internet measurement company Censys, the operation relies on a dedicated Python-based scanner that continuously sweeps large IP ranges of major cloud providers. The tool looks for ComfyUI web interfaces that are reachable over the internet without any authentication.
Once an open ComfyUI instance is found, the scanner checks for known vulnerable custom nodes and for the presence of the ComfyUI-Manager component. External attack-surface management data indicates that there are currently more than 1,000 public ComfyUI instances online. While this is not a massive number in absolute terms, it is sufficient to support opportunistic, revenue-driven botnet campaigns at scale.
Abusing custom nodes and ComfyUI-Manager for remote code execution
The core weakness exploited in this campaign lies in the design of certain ComfyUI custom nodes. Some nodes accept “raw” Python code as input and execute it server-side without any authentication or sandboxing. This effectively turns a convenient visual interface for AI image generation into a remote code execution endpoint.
The scanner cycles through a set of known custom node families that permit arbitrary Python execution. If none of the targeted nodes are installed, the tool checks whether ComfyUI-Manager is available. If so, the attackers simply install a malicious, vulnerable package themselves and reattempt exploitation.
One of the key payloads is a module named “ComfyUI-Shell-Executor”, which is intentionally malicious and controlled by the botnet operator. This package pulls down the next-stage shell script, ghost.sh, from infrastructure hosted on so‑called “bulletproof” hosting (IP 77.110.96[.]200, provider Aeza Group). After achieving code execution, the scanner clears the ComfyUI request history to make forensic analysis more difficult.
From Python Code Execution to Monero and Conflux Cryptomining
The ghost.sh script performs a full compromise and persistence routine on the host. It disables shell command history, kills processes belonging to competing miners, and deploys the attacker’s own mining stack. The botnet operators mine Monero using XMRig and Conflux using lolMiner, diversifying their income across multiple privacy‑focused cryptocurrencies.
To improve stealth and resilience, the malware uses several techniques commonly seen in modern Linux-based cryptomining campaigns:
1. LD_PRELOAD and a hidden watchdog process. The malware injects a custom shared library via the LD_PRELOAD environment variable. This allows it to hook system calls and conceal a watchdog process that monitors the miner and restarts it if needed, making it harder to detect via standard process monitoring tools.
2. Multiple redundant copies of miner binaries. Miner binaries are duplicated across several directories on the system. Even if administrators partially clean the environment, a remaining copy can be used to automatically reinfect or restart mining activities.
3. Protection via chattr +i immutability. Critical files are marked as immutable using chattr +i. On Linux, this attribute prevents deletion, modification, or renaming – even by root – until the attribute is explicitly removed. This significantly complicates manual cleanup for less experienced administrators.
In newer versions of the scanner, the attackers added reboot persistence and recovery. The ghost.sh script is re-fetched every six hours, and the exploitation chain is re-triggered whenever ComfyUI is restarted, ensuring long-term control of compromised nodes.
Hysteria V2 Proxy Botnet and Competition with Hisana
Compromised servers are centrally managed via a Flask-based command-and-control (C2) panel. From this panel, operators can push arbitrary commands and deploy additional payloads. One such payload is an installer for Hysteria V2, a high-performance tunneling and proxy tool. This indicates that the attackers likely aim to monetize infected hosts as anonymous proxy endpoints in addition to cryptomining.
The campaign also exhibits explicit botnet‑vs‑botnet behavior. The ghost.sh script contains logic targeting a competing botnet known as “Hisana”. Rather than simply terminating Hisana’s processes, the script rewrites Hisana’s configuration to redirect any mined cryptocurrency to the wallet controlled by the current operators. It then binds Hisana’s default management port (10808) with a dummy Python listener, blocking the rival botnet from restarting on the same host.
Part of a Broader Wave of Attacks on Exposed Cloud and AI Services
Analysis of the attacker’s infrastructure and command history revealed attempts to log in via SSH as root to 120.241.40[.]237, a host associated with an ongoing self‑propagating campaign against exposed Redis servers. This connection suggests that the ComfyUI intrusions are one element within a broader ecosystem of malicious activity targeting various unsecured internet-facing services.
Threat intelligence platform Pulsedive, citing data from Spamhaus, reports that botnet activity increased sharply in 2025: by 26% in the first half of the year and by another 24% in the second half. The spread is partly driven by the publicly available source code of well-known botnets such as Mirai, spawning numerous forks that power large‑scale DDoS attacks. The ComfyUI campaign illustrates how this trend is expanding into cloud-hosted AI and machine learning services, which often run with powerful hardware and permissive network access.
The situation around ComfyUI demonstrates that even “auxiliary” AI interfaces, if exposed without proper hardening, rapidly become attractive targets. Administrators operating ComfyUI in production or shared environments should immediately restrict public access (for example via VPN, IP allow‑listing, or a reverse proxy with strong authentication), disable or tightly control custom nodes that execute arbitrary Python code, and review installations for suspicious packages such as “ComfyUI-Shell-Executor”, shell scripts like ghost.sh, and miners including XMRig and lolMiner. Regularly scanning for files marked with chattr +i, auditing exposed cloud services, and monitoring botnet-related indicators of compromise are now critical steps for any organization relying on AI tools as part of its production infrastructure.
