ComfyUI cryptomining and proxy botnet campaign targeting exposed instances
Campaign
Summary
Hide ▲
Show ▼
An active ComfyUI campaign is scanning exposed instances, exploiting unsafe custom nodes, and enlisting compromised hosts into a cryptomining and proxy botnet. The operation matters because it enables unauthenticated remote code execution on vulnerable deployments and converts them into monetizable infrastructure. More than 1,000 publicly-accessible instances are in scope, indicating broad exposure.
Cases
Related Happenings
Widespread exposure and misconfiguration in self-hosted AI infrastructure
Target Trend
First: 05.05.2026 13:30
Last: 05.05.2026 13:30
Sources 1
About this happening:
A large-scale measurement found **self-hosted AI infrastructure** was being deployed with **widespread exposure and no authentication**, creating a broad risk of data theft, workf...
Widespread exposure and misconfiguration in self-hosted AI infrastructure
Target TrendAbout this happening: A large-scale measurement found **self-hosted AI infrastructure** was being deployed with **widespread exposure and no authentication**, creating a broad risk of data theft, workf...
React2Shell (CVE-2025-55182) mass scanning and exploitation wave
Exploitation Wave
First: 20.02.2026 23:07
Last: 20.02.2026 23:07
Sources 1
About this happening:
**CVE-2025-55182 (React2Shell)** is being **actively exploited** across **React Server Components (RSC)** and **Next.js** environments, with reports now adding a **ransomware gang...
React2Shell (CVE-2025-55182) mass scanning and exploitation wave
Exploitation WaveAbout this happening: **CVE-2025-55182 (React2Shell)** is being **actively exploited** across **React Server Components (RSC)** and **Next.js** environments, with reports now adding a **ransomware gang...
Geta RAT, Ares RAT, and DeskRAT cross-platform credential-theft activity
Malware Activity
First: 11.02.2026 16:52
Last: 11.02.2026 16:52
Sources 1
About this happening:
**Geta RAT**, **Ares RAT**, and **DeskRAT** are being deployed across **Windows and Linux** in phishing-led intrusions that enable **credential theft**, **persistent access**, and...
Geta RAT, Ares RAT, and DeskRAT cross-platform credential-theft activity
Malware ActivityAbout this happening: **Geta RAT**, **Ares RAT**, and **DeskRAT** are being deployed across **Windows and Linux** in phishing-led intrusions that enable **credential theft**, **persistent access**, and...
OpenClaw public-facing RCE exposure with public exploit code remote code execution flaw
Vulnerability
First: 09.02.2026 11:30
Last: 09.02.2026 11:30
Sources 1
About this happening:
**OpenClaw** deployments exposed to the public internet face **RCE risk**, with **12,812 instances** reportedly exploitable and **public exploit code** available. SecurityScorecar...
OpenClaw public-facing RCE exposure with public exploit code remote code execution flaw
VulnerabilityAbout this happening: **OpenClaw** deployments exposed to the public internet face **RCE risk**, with **12,812 instances** reportedly exploitable and **public exploit code** available. SecurityScorecar...
React/Next.js applications React2Shell RCE flaw (CVE-2025-55182)
Vulnerability
First: 09.02.2026 10:37
Last: 09.02.2026 10:37
Sources 1
About this happening:
**React2Shell (CVE-2025-55182)** is being **heavily exploited** in **React Server Components (RSC)**, with Huntress observing attackers deliver **cryptocurrency miners** and new m...
React/Next.js applications React2Shell RCE flaw (CVE-2025-55182)
VulnerabilityAbout this happening: **React2Shell (CVE-2025-55182)** is being **heavily exploited** in **React Server Components (RSC)**, with Huntress observing attackers deliver **cryptocurrency miners** and new m...
Latest development: 09.03.2026 23:45
Google reports that newly disclosed third-party flaws are increasingly being exploited for initial access to cloud environments, with React2Shell (CVE-2025-55182) and CVE-2025-24893 highlighted as frequent RCE examples. The report says attackers are weaponizing new flaws within days, with cryptominers observed within 48 hours of vulnerability disclosure.
Timeline
-
06.04.2026 03:00 2 articles · 1mo ago
ComfyUI deployments targeted for botnet enrollment
Initial DisclosureAn active campaign targets internet-exposed ComfyUI deployments with a purpose-built Python scanner that sweeps cloud IP ranges, checks for ComfyUI-Manager, installs a vulnerable node package when needed, and weaponizes custom nodes for unauthenticated remote code execution. Compromised hosts are added to a cryptomining stack using XMRig and lolMiner, enrolled in a Hysteria V2 botnet, and subjected to persistence and cleanup steps including repeated shell-script downloads, prompt-history wiping, LD_PRELOAD hiding, and chattr +i locking; more than 1,000 publicly-accessible ComfyUI instances are in scope.
Show sources
- Over 1,000 Exposed ComfyUI Instances Targeted in Cryptomining Botnet Campaign — thehackernews.com — 07.04.2026 15:46
- Over 1,000 Exposed ComfyUI Instances Targeted in Cryptomining Botnet Campaign — thehackernews.com — 07.04.2026 15:46