CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Bizarre Bazaar Campaign Exploits Exposed LLM Endpoints

First reported
Last updated
2 unique sources, 3 articles

Summary

Hide ▲

A cybercrime operation named 'Bizarre Bazaar' is actively targeting exposed or poorly authenticated LLM (Large Language Model) service endpoints. Over 35,000 attack sessions were recorded in 40 days, involving unauthorized access to steal computing resources, resell API access, exfiltrate data, and pivot into internal systems. The campaign highlights the emerging threat of 'LLMjacking' attacks, where attackers exploit misconfigurations in LLM infrastructure to monetize access through cryptocurrency mining and darknet markets. The SilverInc service, marketed on Telegram and Discord, resells access to more than 50 AI models in exchange for cryptocurrency or PayPal payments. A recent investigation by SentinelOne SentinelLABS and Censys revealed 175,000 unique Ollama hosts across 130 countries, many of which are configured with tool-calling capabilities, increasing the risk of LLMjacking attacks.

Timeline

  1. 29.01.2026 20:37 1 articles · 4d ago

    175,000 Ollama Hosts Exposed Globally

    A joint investigation by SentinelOne SentinelLABS and Censys identified 175,000 unique Ollama hosts across 130 countries. Nearly half of these hosts have tool-calling capabilities, enabling them to execute code and interact with external systems. This exposes them to LLMjacking attacks, where bad actors abuse victim's LLM infrastructure resources.

    Show sources
    Open in new tab
  2. 28.01.2026 15:15 3 articles · 5d ago

    Bizarre Bazaar Campaign Exploits Exposed LLM Endpoints

    Over a period of 40 days, researchers at Pillar Security recorded more than 35,000 attack sessions on their honeypots, leading to the discovery of the Bizarre Bazaar campaign. This campaign targets exposed or poorly authenticated LLM service endpoints to steal computing resources, resell API access, exfiltrate data, and pivot into internal systems. The campaign is attributed to three threat actors working together, with one scanning for LLM and MCP endpoints, another validating findings, and a third reselling access via the SilverInc service. A recent investigation by SentinelOne SentinelLABS and Censys revealed 175,000 unique Ollama hosts across 130 countries, many of which are configured with tool-calling capabilities, increasing the risk of LLMjacking attacks. The SilverInc service is hosted on bulletproof infrastructure in the Netherlands and marketed on Discord and Telegram, offering access to over 30 LLMs.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Threat Actors Target Misconfigured Proxies for Paid LLM Access

Threat actors are systematically targeting misconfigured proxy servers to gain unauthorized access to commercial large language model (LLM) services. The campaign, which began in late December, has probed over 73 LLM endpoints and generated more than 80,000 sessions. The attackers use low-noise prompts to query endpoints without triggering security alerts. GreyNoise's report indicates two distinct campaigns, one of which exploits server-side request forgery (SSRF) vulnerabilities to force servers to connect to attacker-controlled infrastructure. The other campaign involves high-volume enumeration of exposed or misconfigured LLM endpoints. The targeted models include those from major providers such as OpenAI, Anthropic, Meta, Google, Mistral, Alibaba, and xAI. The activity is likely part of an organized reconnaissance effort to catalog accessible LLM services, though no exploitation or data theft has been observed yet.

Open in new tab

Exploitation of Network Security Flaws by APT Actors

Multiple network security products, including those from Fortinet, SonicWall, Cisco, and WatchGuard, have been targeted by threat actors exploiting critical vulnerabilities. Cisco's AsyncOS flaw (CVE-2025-20393) is being exploited by a China-nexus APT group, UAT-9686, to deliver malware such as ReverseSSH and AquaPurge. SonicWall's SMA 100 series appliances are also being targeted through a combination of vulnerabilities to achieve unauthenticated remote code execution. These attacks highlight the increasing focus on network security products as entry points for deeper network infiltration.

Open in new tab

AI-Driven Cyberattacks Exploit Network Vulnerabilities

Adversarial AI-based attacks, such as those by Scattered Spider, are accelerating and leveraging living-off-the-land methods to spread and evade detection. These attacks use AI orchestration to perform network reconnaissance, discover vulnerabilities, move laterally, and harvest data at speeds that overwhelm manual detection methods. The Cloud Security Alliance report highlights over 70 ways autonomous AI-based agents can attack enterprise systems, expanding the attack surface beyond traditional security practices. Network Detection and Response (NDR) systems are increasingly being adopted to counter these AI-driven threats by providing real-time monitoring, analyzing network data, and identifying abnormal traffic patterns. NDR solutions can detect fast-moving, polymorphic attacks, summarize network activities, and render verdicts on potential threats, reducing the pressure on SOC analysts. Recent reports from Google's Threat Intelligence Group and Anthropic have revealed new AI-fueled attack methods, including the use of LLMs to generate malicious scripts and AI-orchestrated cyber espionage campaigns. Adversaries are also exploiting AV exclusion rules and using steganography techniques to evade detection. The combined use of NDR and EDR is essential for detecting and mitigating these sophisticated attacks.

Open in new tab

Flax Typhoon APT Group Exploits ArcGIS for Persistent Access

The Flax Typhoon APT group, also tracked as Ethereal Panda and RedJuliett, exploited a legitimate ArcGIS application to establish a persistent backdoor for over a year. The attack involved modifying the ArcGIS server’s Java server object extension (SOE) to function as a web shell, enabling command execution, lateral movement, and data exfiltration. The malicious SOE persisted even after remediation and patching, highlighting the need for proactive threat hunting and treating all public-facing applications as high-risk assets. The group targeted a public-facing ArcGIS server connected to an internal server, compromising a portal administrator account and deploying a malicious SOE. They used a base64-encoded payload and a hardcoded key to execute commands and upload a renamed SoftEther VPN executable for long-term access. The attack targeted IT staff workstations within the scanned subnet, demonstrating the potential for significant operational disruption and data exposure. The attackers used a public-facing ArcGIS server connected to a private, internal ArcGIS server for backend computations, a common default configuration. They sent disguised commands to the portal server, creating a hidden system directory that became Flax Typhoon's private workspace. The attackers ensured the compromised component was included in system backups, turning the organization's own recovery plan into a guaranteed method of reinfection. ReliaQuest worked with the customer organization and Esri to fully evict Flax Typhoon actors from the environment, which included rebuilding the entire server stack and deploying custom detections for the threat activity. ReliaQuest urged organizations to treat all public-facing applications as high-risk assets and recommended security teams audit and harden such applications. The researchers also highlighted the need for behavioral analytics to complement signature-based detection, as Flax Typhoon did not use any malware or known malicious files. Strong credential hygiene was emphasized, noting that a weak administrator password gave the attackers a foothold in the organization's network. ReliaQuest recommended implementing multifactor authentication and practicing the principle of least privilege to enhance security. The ArcGIS geographic information system (GIS) is developed by Esri and supports server object extensions (SOE) that can extend basic functionality. The software is used by municipalities, utilities, and infrastructure operators to manage spatial and geographic data through maps. Researchers at cybersecurity company ReliaQuest have moderate confidence that the threat actor is Flax Typhoon. The attackers used valid administrator credentials to log into a public-facing ArcGIS server linked to a private, internal ArcGIS server. The malicious SOE accepted base64-encoded commands through a REST API parameter (layer) and executed them on the internal ArcGIS server. The exchange was protected by a hardcoded secret key, ensuring only the attackers had access to this backdoor. The attackers downloaded and installed SoftEther VPN Bridge, registering it as a Windows service that started automatically. The VPN established an outbound HTTPS tunnel to the attacker's server at 172.86.113[.]142, linking the victim's internal network to the threat actor's machine. The VPN used normal HTTPS traffic on port 443, blending with legitimate traffic, and remained active even if the SOE was detected and deleted. The attackers scanned the local network, moved laterally, accessed internal hosts, dumped credentials, or exfiltrated data using the VPN connection. The attackers targeted two workstations belonging to the target organization's IT staff, attempting to dump the Security Account Manager (SAM) database, security registry keys, and LSA secrets. Flax Typhoon is known for espionage campaigns to establish long-term, stealthy access through legitimate software. The FBI linked Flax Typhoon to the massive "Raptor Train" botnet, impacting the U.S. The Treasury's Office of Foreign Assets Control (OFAC) sanctioned companies that supported the state-sponsored hackers. Esri confirmed this is the first time an SOE has been used this way and will update their documentation to warn users of the risk of malicious SOEs. The attackers used the JavaSimpleRESTSOE ArcGIS extension to invoke a REST operation to run commands on the internal server via the public portal. The attackers specifically targeted two workstations belonging to IT personnel to obtain credentials and further burrow into the network. The attackers reset the password of the administrative account.

Open in new tab

Espionage Campaign Targeting Eastern Asia via Sogou Zhuyin Update Server Hijacking

An abandoned update server for the Sogou Zhuyin input method editor (IME) software was hijacked by threat actors to distribute malware in an espionage campaign. The campaign, codenamed TAOTH, primarily targets users in Eastern Asia, including dissidents, journalists, researchers, and technology/business leaders. The malware families deployed include C6DOOR, GTELAM, DESFY, and TOSHIS, which enable remote access, information theft, and backdoor functionality. The attack chain begins with a compromised update process that fetches malicious payloads from a hijacked domain. The campaign was identified in June 2025, with the domain hijacking occurring in October 2024. The malware families were first detected between December 2024 and May 2025. The primary targets are in Taiwan, accounting for 49% of all targets, followed by Cambodia and the U.S. The attackers also used phishing websites and fake cloud storage pages to distribute TOSHIS. The TAOTH campaign shares infrastructure and tooling overlap with previously documented threat activity by ITOCHU, indicating a persistent threat actor focused on reconnaissance, espionage, and email abuse.

Open in new tab