Find notable cyber news and cases, enriched with sources, timelines, and signals.
Campaign

ComfyUI exposure abuse for mining and proxying

Updated 07.04.2026 15:46
Case score 57
Case score 57 Members 1 Latest activity 07.04.2026 15:46
Members 1 First seen 07.04.2026 15:46 Last seen 07.04.2026 15:46 Updated 07.04.2026 15:46

Overview

**ComfyUI** deployments exposed to the internet are being scanned and turned into a **cryptomining and proxy botnet**. The activity uses malicious custom nodes and **ComfyUI-Manager** handling to reach code execution, then installs mining and proxy tooling on compromised hosts. More than **1,000 publicly accessible instances** are in scope, and the available evidence shows persistence and cleanup steps designed to keep the hosts monetizable. Exposed deployments should be reviewed and hardened immediately, with public access and custom-node exposure reduced where possible.

Signals

1 derived
Impact signals
Status
Campaign status Active

Malware context

6 families · 2 tools
Tools
React2Shell RondoDox

Member happenings

1 related
Campaign ComfyUI cryptomining and proxy botnet campaign targeting exposed instances
Updated 07.04.2026 15:46 Lead Contribution 57
Objective Access Brokerage Campaign Active

An **active ComfyUI campaign** is scanning exposed instances, exploiting unsafe custom nodes, and enlisting compromised hosts into a **cryptomining and proxy botnet**. The operation matters because it enables **unauthenticated remote code execution** on vulnerable deployments and converts them into monetizable infrastructure. More than **1,000 publicly-accessible instances** are in scope, indicating broad exposure.