Campaign
ComfyUI exposure abuse for mining and proxying
Updated 07.04.2026 15:46
Case score 57
Score breakdown
- Total
- 57
- Lead score
- 57
- Support bonus
- +0 / 20
- Scoring support
- 0
- Context members
- 0
Top contributors
- Campaign The campaign itself is the full case anchor and accounts for the entire compound score. base
Case score 57
Members 1
Latest activity 07.04.2026 15:46
Members 1
First seen 07.04.2026 15:46
Last seen 07.04.2026 15:46
Updated 07.04.2026 15:46
Overview
**ComfyUI** deployments exposed to the internet are being scanned and turned into a **cryptomining and proxy botnet**. The activity uses malicious custom nodes and **ComfyUI-Manager** handling to reach code execution, then installs mining and proxy tooling on compromised hosts.
More than **1,000 publicly accessible instances** are in scope, and the available evidence shows persistence and cleanup steps designed to keep the hosts monetizable. Exposed deployments should be reviewed and hardened immediately, with public access and custom-node exposure reduced where possible.
Active **ComfyUI** deployments are being scanned and turned into a **cryptomining and proxy botnet**. The operator uses a purpose-built Python scanner to sweep major cloud IP ranges, checks for **ComfyUI-Manager**, and installs malicious nodes when needed to reach exploitable custom nodes. That access can produce unauthenticated remote code execution, after which compromised hosts mine **Monero** with **XMRig** and **Conflux** with **lolMiner** and join a **Hysteria V2** proxy network.
Persistence steps include **ghost.sh**, repeated script execution on startup, prompt-history wiping, LD_PRELOAD hiding, and **chattr +i** locking. More than **1,000 publicly accessible instances** are in scope, so the campaign is broad enough to sustain ongoing monetization. Available evidence does not show how many hosts were fully compromised or whether every exposed instance in scope was reached.