Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

ShadowRay 2.0 Ray cluster hijacking campaign

Campaign
First reported
Last updated
Happening score
H score 47
2 unique sources, 2 articles

Summary

Hide ▲

The ShadowRay 2.0 campaign is hijacking exposed Ray clusters on the public internet, using AI-generated payloads and CVE-2023-48022 to spread a self-propagating cryptomining botnet. The operation matters because it goes beyond mining: it also includes reported credential theft and DDoS activity. Two delivery waves were observed, with a GitLab path ending on November 5 and a GitHub path active since November 17. The target surface is large, with more than 230,000 Ray servers reportedly reachable online.

Related Happenings

Shai-Hulud worm clone activity on NPM

Malware Activity
First: 18.05.2026 12:45 Last: 18.05.2026 12:45 Sources 1

About this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...

Open Happening

TeamPCP Mini Shai-Hulud npm supply-chain campaign

Campaign
First: 12.05.2026 14:07 Last: 12.05.2026 14:07 Sources 1

About this happening: The **TeamPCP**-linked **Mini Shai-Hulud** campaign is a **malicious npm supply-chain operation** that steals developer credentials and abuses trusted publishing paths to spread t...

Open Happening

Tropic Trooper trojanized SumatraPDF remote-access campaign

Campaign
First: 24.04.2026 12:29 Last: 24.04.2026 12:29 Sources 1

About this happening: **Tropic Trooper** is running an active **campaign** that uses a **trojanized SumatraPDF** lure to plant **AdaptixC2 Beacon** and later abuse **VS Code tunnels** for remote access...

Open Happening

Mirax social media ad campaign targeting Spanish-speaking users

Campaign
First: 13.04.2026 17:30 Last: 13.04.2026 17:30 Sources 1

About this happening: The **Mirax** distribution campaign is using **social media advertisements** and **fake IPTV or streaming apps** to reach **Spanish-speaking users** at scale, raising the risk of...

Open Happening

React2Shell (CVE-2025-55182) mass scanning and exploitation wave

Exploitation Wave
First: 20.02.2026 23:07 Last: 20.02.2026 23:07 Sources 1

About this happening: **CVE-2025-55182 (React2Shell)** is being **actively exploited** across **React Server Components (RSC)** and **Next.js** environments, with reports now adding a **ransomware gang...

Open Happening

Timeline

  1. 18.11.2025 22:56 1 articles · 6mo ago

    GitLab-delivered ShadowRay 2.0 wave ends

    Exploitation Observed

    A GitLab-delivered ShadowRay 2.0 wave against exposed Ray clusters terminated on November 5, using CVE-2023-48022 to push payloads into public-internet reachable Ray infrastructure.

    Show sources
    Open in new tab
  2. 18.11.2025 22:56 1 articles · 6mo ago

    GitHub-delivered ShadowRay 2.0 wave begins

    Exploitation Observed

    A GitHub-delivered ShadowRay 2.0 wave against exposed Ray clusters has been active since November 17, using CVE-2023-48022 to extend compromise across public-internet reachable Ray infrastructure.

    Show sources
    Open in new tab
  3. 18.11.2025 22:56 2 articles · 6mo ago

    ShadowRay 2.0 disclosure and analysis

    Initial Disclosure

    ShadowRay 2.0 was disclosed on November 18 as a global campaign against exposed Ray clusters on the public internet, with AI-generated payloads attributed to IronErn440 that exploit CVE-2023-48022 for self-propagating mining, open Python reverse shells, persist via cron jobs and systemd modifications, and launch Sockstress-based DDoS attacks.

    Show sources
    Open in new tab