CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

ShadowRay 2.0 Campaign Hijacks Ray Clusters for Cryptomining and DDoS Attacks

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

A threat actor, tracked as IronErn440, is exploiting an old code execution flaw (CVE-2023-48022) in exposed Ray Clusters to convert them into a self-propagating cryptomining botnet. The campaign, dubbed ShadowRay 2.0, also involves data and credentials theft, as well as distributed denial-of-service (DDoS) attacks. The vulnerability affects over 230,000 Ray servers exposed on the internet. The attacks use AI-generated payloads to compromise vulnerable Ray infrastructure, leveraging the Ray Jobs API to deploy malware across all nodes. The payloads include a crypto-mining module that mines Monero using XMRig, while evading detection by limiting CPU usage to 60%. The attacker also ensures exclusive mining access by terminating rival mining scripts and blocking other mining pools. The campaign has two attack waves: one using GitLab for payload delivery, which ended on November 5, and another using GitHub, ongoing since November 17. The attackers have also been found to use the Sockstress tool to launch DDoS attacks, targeting port 3333 commonly used by mining pools.

Timeline

  1. 18.11.2025 22:56 2 articles · 2d ago

    ShadowRay 2.0 Campaign Exploits Ray Clusters for Cryptomining and DDoS Attacks

    The campaign has been active since September 2024. The malware checks if the victim is located in China and serves a region-specific version of the malware. The attackers have created a new GitHub account to resume operations after takedown efforts. The campaign uses the Sockstress tool to launch DDoS attacks, targeting port 3333 commonly used by mining pools.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Increased Botnet Activity Targeting PHP Servers, IoT Devices, and Cloud Gateways

Botnets such as Mirai, Gafgyt, and Mozi are exploiting known vulnerabilities and cloud misconfigurations to target PHP servers, IoT devices, and cloud gateways. This trend is driven by the widespread use of PHP in web applications and the prevalence of cloud misconfigurations, which expand the attack surface. The attacks aim at remote code execution (RCE) and data theft. The vulnerabilities exploited include CVE-2022-47945 in ThinkPHP, CVE-2021-3129 in Laravel Ignition, and CVE-2017-9841 in PHPUnit. Additionally, insecure configurations and exposed AWS credentials are being targeted. IoT devices with outdated firmware and cloud-native environments are also at risk, with botnets being used for credential stuffing and password spraying campaigns. Xdebug debugging sessions are being exploited to gain insight into application behavior or extract sensitive data. The scanning activity often originates from cloud infrastructures like Amazon Web Services (AWS), Google Cloud, Microsoft Azure, Digital Ocean, and Akamai Cloud, illustrating how threat actors are abusing legitimate services to their advantage while obscuring their true origins.

Open in new tab

ShadowV2 Botnet Exploits Misconfigured AWS Docker Containers for DDoS Attacks

The ShadowV2 botnet targets misconfigured Docker containers on Amazon Web Services (AWS) to deploy a Go-based malware, turning infected systems into nodes for a distributed denial-of-service (DDoS) botnet. This botnet is available for rent to conduct DDoS attacks, employing advanced techniques such as HTTP/2 Rapid Reset and bypassing Cloudflare's Under Attack mode. The botnet was detected on June 24, 2025, and is believed to be part of a DDoS-for-Hire service. The botnet uses a Python-based C2 framework hosted on GitHub Codespaces and a Go-based remote access trojan (RAT) for command execution and communication. The malware first spawns a generic setup container from an Ubuntu image, installs necessary tools, and then builds and deploys a live container. This approach may help avoid leaving forensic artifacts on the victim machine. The malware communicates with a C2 server to receive commands and conduct attacks. The botnet's dynamic container deployment allows highly configurable attacks while concealing activity behind cloud-native architecture. The botnet targets 24,000 IP addresses with port 2375 open, though not all are exploitable. The malware sends a heartbeat signal to the C2 server every second and polls for new attack commands every five seconds. The botnet is actively used, with observed commands to launch attacks against at least one website.

Open in new tab

Misconfigured Docker APIs Exploited in TOR-Based Cryptojacking Campaign

A new variant of a TOR-based cryptojacking campaign targets exposed Docker APIs. The attack involves executing a new container based on the Alpine Docker image and mounting the host file system. The attackers then run a Base64-encoded payload to download a shell script downloader from a .onion domain. The script installs tools for reconnaissance and communication with a command-and-control (C2) server. The campaign may aim to establish a complex botnet. The attack chain includes exploiting additional ports (23, 9222) and using known default credentials for brute-forcing logins. The malware scans for open Docker API services at port 2375 and propagates the infection to those machines. The attackers block external access to port 2375 using available firewall utilities and install persistent SSH access. The malware includes dormant logic for future expansion opportunities for credential theft, browser session hijacking, remote file download, and distributed denial-of-service (DDoS) attacks. The campaign highlights the importance of securing Docker APIs and limiting exposure of services to the internet.

Open in new tab

RingReaper post-exploitation tool leverages io_uring to evade Linux EDRs

A sophisticated post-exploitation tool named RingReaper has emerged, targeting Linux systems. It uses the io_uring framework to evade detection by endpoint detection and response (EDR) systems. RingReaper performs various malicious activities, including process discovery, network enumeration, and privilege escalation, while minimizing its footprint. The tool has been observed in the wild since mid-2025, primarily targeting enterprise Linux servers and cloud workloads. The malware's use of io_uring allows it to bypass traditional syscall hooks relied upon by most Linux EDRs, making it difficult to detect. RingReaper includes a self-destruct feature to erase its presence from the system, further complicating forensic analysis. The tool also enumerates system processes, active pseudo-terminal sessions, network connections, and logged-in users, and collects user information from the /etc/passwd file. It abuses SUID binaries for privilege escalation. The tool's development indicates a high level of sophistication, suggesting it was created by a well-funded actor with deep knowledge of Linux kernel APIs and asynchronous I/O.

Open in new tab