Campaign
ComfyUI exposure abuse for mining and proxying
Updated 07.04.2026 15:46
Case score 57
Why this score?
Case score is a discovery signal based on public evidence, not a guaranteed risk rating. Use it to decide what to review first, then verify important details from the linked sources.
- Total
- 57
- Main story score
- 57
- Related evidence lift
- +0 / 20
- Contributing updates
- 0
- Context updates
- 0
Top contributors
- Campaign The campaign itself is the full case anchor and accounts for the entire compound score. main
Case score 57
Members 1
Latest activity 07.04.2026 15:46
Members 1
First seen 07.04.2026 15:46
Last seen 07.04.2026 15:46
Updated 07.04.2026 15:46
Overview
**ComfyUI** deployments exposed to the internet are being scanned and turned into a **cryptomining and proxy botnet**. The activity uses malicious custom nodes and **ComfyUI-Manager** handling to reach code execution, then installs mining and proxy tooling on compromised hosts.
More than **1,000 publicly accessible instances** are in scope, and the available evidence shows persistence and cleanup steps designed to keep the hosts monetizable. Exposed deployments should be reviewed and hardened immediately, with public access and custom-node exposure reduced where possible.
Active **ComfyUI** deployments are being scanned and turned into a **cryptomining and proxy botnet**. The operator uses a purpose-built Python scanner to sweep major cloud IP ranges, checks for **ComfyUI-Manager**, and installs malicious nodes when needed to reach exploitable custom nodes. That access can produce unauthenticated remote code execution, after which compromised hosts mine **Monero** with **XMRig** and **Conflux** with **lolMiner** and join a **Hysteria V2** proxy network.
Persistence steps include **ghost.sh**, repeated script execution on startup, prompt-history wiping, LD_PRELOAD hiding, and **chattr +i** locking. More than **1,000 publicly accessible instances** are in scope, so the campaign is broad enough to sustain ongoing monetization. Available evidence does not show how many hosts were fully compromised or whether every exposed instance in scope was reached.
Signals
1 derivedImpact signals
Status
Campaign status
Active
Malware context
6 families · 2 toolsTools
React2Shell
RondoDox
Member happenings
1 related
Campaign
ComfyUI cryptomining and proxy botnet campaign targeting exposed instances
Objective
Access Brokerage
Campaign
Active
Campaign
ComfyUI cryptomining and proxy botnet campaign targeting exposed instances
Objective
Access Brokerage
Campaign
Active