ComfyUI cryptomining botnet campaign leverages exposed instances via custom nodes and ComfyUI-Manager for RCE

First reported

07.04.2026 15:46

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

An opportunistic cryptomining and proxy botnet campaign is actively recruiting over 1,000 internet-exposed ComfyUI instances—an open-source Stable Diffusion platform—via remote code execution (RCE) exploits against unauthenticated deployments and ComfyUI-Manager installations. The attack chain begins with a Python-based scanner that enumerates cloud IP ranges for vulnerable ComfyUI instances, identifying those with custom node families that accept raw Python code execution or ComfyUI-Manager installations. Successful exploitation installs malware that mines Monero and Conflux, and adds compromised hosts to the Hysteria V2 botnet, all managed through a Flask-based C2 dashboard. The operation includes sophisticated persistence mechanisms, competitor botnet sabotage, and evidence-clearing techniques, indicating a technically competent yet opportunistic actor targeting widely deployed AI inference services for financial gain.

Timeline

07.04.2026 15:46 1 articles · 7h ago

ComfyUI cryptomining and proxy botnet campaign expands to over 1,000 exposed instances via RCE
A Python-based scanner continuously enumerates cloud IP ranges for ComfyUI instances and exploits RCE via vulnerable custom nodes or ComfyUI-Manager installations. Compromised hosts are enrolled in XMRig/Monero and lolMiner/Conflux mining operations and added to a Hysteria V2 proxy botnet, managed through a Flask-based C2 dashboard. The attacker uses advanced persistence techniques, competitor botnet sabotage (e.g., Hisana), and evidence-clearing, while leveraging bulletproof hosting infrastructure associated with Aeza Group.
Show sources

Over 1,000 Exposed ComfyUI Instances Targeted in Cryptomining Botnet Campaign — thehackernews.com — 07.04.2026 15:46
Open in new tab

Information Snippets

Exposed ComfyUI instances are being systematically scanned and exploited via RCE through custom nodes that accept arbitrary Python code without authentication.
First reported: 07.04.2026 15:46

1 source, 1 article
Show sources
- Over 1,000 Exposed ComfyUI Instances Targeted in Cryptomining Botnet Campaign — thehackernews.com — 07.04.2026 15:46
The campaign leverages two reconnaissance tools to identify exposed ComfyUI instances with ComfyUI-Manager installed or vulnerable custom node families, including Vova75Rus/ComfyUI-Shell-Executor, filliptm/ComfyUI_Fill-Nodes, seanlynch/srl-nodes, and ruiqutech/ComfyUI-RuiquNodes.
First reported: 07.04.2026 15:46

1 source, 1 article
Show sources
- Over 1,000 Exposed ComfyUI Instances Targeted in Cryptomining Botnet Campaign — thehackernews.com — 07.04.2026 15:46
If no exploitable nodes are found, the scanner installs a malicious ComfyUI-Manager package to enable RCE, then retries exploitation.
First reported: 07.04.2026 15:46

1 source, 1 article
Show sources
- Over 1,000 Exposed ComfyUI Instances Targeted in Cryptomining Botnet Campaign — thehackernews.com — 07.04.2026 15:46
Compromised hosts are enrolled in cryptomining operations using XMRig (Monero) and lolMiner (Conflux), and added to a Hysteria V2 proxy botnet, all controlled via a Flask-based C2 dashboard.
First reported: 07.04.2026 15:46

1 source, 1 article
Show sources
- Over 1,000 Exposed ComfyUI Instances Targeted in Cryptomining Botnet Campaign — thehackernews.com — 07.04.2026 15:46
Persistence is achieved through a shell script that disables shell history, kills competing miners, and uses LD_PRELOAD to hide a watchdog process; it also copies miners to multiple locations and locks binaries with 'chattr +i' to prevent deletion.
First reported: 07.04.2026 15:46

1 source, 1 article
Show sources
- Over 1,000 Exposed ComfyUI Instances Targeted in Cryptomining Botnet Campaign — thehackernews.com — 07.04.2026 15:46
The attacker sabotages a competing botnet named 'Hisana' by overwriting its wallet configuration, occupying its C2 port (10808), and blocking restart attempts.
First reported: 07.04.2026 15:46

1 source, 1 article
Show sources
- Over 1,000 Exposed ComfyUI Instances Targeted in Cryptomining Botnet Campaign — thehackernews.com — 07.04.2026 15:46
Attack infrastructure was initially discovered via an open directory on 77.110.96[.]200, a bulletproof hosting provider associated with Aeza Group, containing tools for reconnaissance, exploitation, and post-exploitation.
First reported: 07.04.2026 15:46

1 source, 1 article
Show sources
- Over 1,000 Exposed ComfyUI Instances Targeted in Cryptomining Botnet Campaign — thehackernews.com — 07.04.2026 15:46
The campaign’s shell script (ghost.sh) downloads and re-executes every six hours, and upon ComfyUI startup, to maintain persistence.
First reported: 07.04.2026 15:46

1 source, 1 article
Show sources
- Over 1,000 Exposed ComfyUI Instances Targeted in Cryptomining Botnet Campaign — thehackernews.com — 07.04.2026 15:46
SSH login attempts as root were observed to 120.241.40[.]237, an IP linked to a known Redis worm campaign, suggesting possible shared infrastructure or tactics with broader opportunistic campaigns.
First reported: 07.04.2026 15:46

1 source, 1 article
Show sources
- Over 1,000 Exposed ComfyUI Instances Targeted in Cryptomining Botnet Campaign — thehackernews.com — 07.04.2026 15:46

Summary

Timeline

ComfyUI cryptomining and proxy botnet campaign expands to over 1,000 exposed instances via RCE

Information Snippets