Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

ShadowRay 2.0 cryptomining malware on Ray clusters

Malware Activity
First reported
Last updated
Happening score
H score 39
2 unique sources, 2 articles

Summary

Hide ▲

A ShadowRay 2.0 payload is turning exposed Ray clusters into a cryptomining botnet, creating persistent unauthorized access and Monero mining on compromised infrastructure. The malware abuses CVE-2023-48022 to deploy multi-stage Bash and Python payloads across cluster nodes. It uses XMRig to mine Monero while limiting CPU use to 60% to reduce detection, and it also adds reverse shells and persistence.

Related Happenings

Mini Shai-Hulud npm supply-chain malware wave

Malware Activity
First: 12.05.2026 14:07 Last: 12.05.2026 14:07 Sources 1

About this happening: The **Sha1-Hulud** npm supply-chain campaign is a fresh **second wave** of **Shai-Hulud**-style activity that has compromised **hundreds of npm packages**. The malware runs during...

Open Happening

Pirated software installer cryptojacking campaign

Campaign
First: 18.02.2026 18:00 Last: 18.02.2026 18:00 Sources 1

About this happening: A **cryptojacking campaign** now spreads through **pirated software bundles**, using a **multi-stage infection chain** to deploy a **bespoke XMRig miner** and maintain persistence...

Open Happening

Sympy-dev malicious PyPI package delivers XMRig payloads on Linux

Malware Activity
First: 22.01.2026 12:04 Last: 22.01.2026 12:04 Sources 1

About this happening: The malicious **sympy-dev** package on **PyPI** impersonates **SymPy** and delivers a **downloader** that can fetch and execute **XMRig**-related payloads on **Linux hosts**, crea...

Open Happening

EtherRAT remote access trojan with blockchain-based C2

Malware Activity
First: 09.12.2025 19:15 Last: 09.12.2025 19:15 Sources 1

About this happening: **EtherRAT** is now a live **Linux RAT** threat because it combines **Ethereum smart contracts** for C2 with multiple persistence layers, making blocked infrastructure less effect...

Open Happening

Ray missing-auth flaw (CVE-2023-48022)

Vulnerability
First: 20.11.2025 19:24 Last: 20.11.2025 19:24 Sources 1

How related: The attack, at its core, exploits a critical missing authentication bug (CVE-2023-48022, CVSS score: 9.8) to take control of susceptible instances and hijack their computing power for illicit cryptocurrency mining using XMRig.

About this happening: **CVE-2023-48022** in **Ray** is being actively exploited against exposed clusters, letting attackers take over susceptible instances and steal GPU capacity for **cryptomining**....

Open Happening

Timeline

  1. 20.11.2025 19:24 1 articles · 6mo ago

    ShadowRay 2.0 adds sockstress DDoS capability

    Technical Analysis Update

    ShadowRay 2.0 is abusing compromised Ray clusters to deploy sockstress, a TCP state-exhaustion tool, against production websites, expanding the self-replicating XMRig cryptomining botnet into a multi-purpose attack platform that can also pressure rival mining infrastructure on port 3333.

    Show sources
    Open in new tab
  2. 18.11.2025 22:56 1 articles · 6mo ago

    ShadowRay 2.0 GitLab payload wave ends on November 5

    Campaign Scope Update

    ShadowRay 2.0 used GitLab for payload delivery against exposed Ray clusters, and one observed wave terminated on November 5 after abusing CVE-2023-48022 to submit jobs through Ray's unauthenticated Jobs API and spread multi-stage Bash and Python payloads across nodes.

    Show sources
    Open in new tab
  3. 18.11.2025 22:56 1 articles · 6mo ago

    ShadowRay 2.0 GitHub payload wave ongoing since November 17

    Exploitation Observed

    ShadowRay 2.0 activity shifted to GitHub-based payload delivery against exposed Ray clusters reachable over the public internet, with one observed wave ongoing since November 17 while continuing to abuse CVE-2023-48022 for multi-stage execution and cluster-to-cluster spreading.

    Show sources
    Open in new tab
  4. 18.11.2025 22:56 1 articles · 6mo ago

    Oligo discloses ShadowRay 2.0 campaign details on November 18

    Initial Disclosure

    On November 18, Oligo publicly described ShadowRay 2.0 as a global campaign against exposed Ray clusters, attributing it to IronErn440 and noting AI-generated payloads, XMRig-based Monero mining, Python reverse shells, cron and systemd persistence, rival-miner suppression, Sockstress DDoS capability, and guidance to restrict access with firewall rules, security group policies, authorization on the Ray Dashboard, and continuous monitoring.

    Show sources
    Open in new tab