Full Report
A Go botnet called NadMesh turned up in early July hunting exposed AI services, and the operator's own dashboard claims 3,811 unique AWS keys. A Shodan harvester keeps the scan queue stocked with ComfyUI, Ollama, n8n, Open WebUI, Langflow, and Gradio: the image generators, local model runners, and workflow builders that teams stand up fast and firewall late. The intel feed behind that counter
Analysis Summary
# Tool/Technique: NadMesh Botnet
## Overview
NadMesh is a sophisticated, "product-grade" Go-based botnet first detected in early July 2026. Its primary objective is the automated identification and exploitation of exposed Artificial Intelligence (AI) services and model runners. Unlike traditional botnets seeking compute for DDoS, NadMesh focuses on **credential harvesting**, specifically targeting cloud access keys, Kubernetes tokens, and AI model inventories to facilitate lateral movement and data exfiltration from cloud environments.
## Technical Details
- **Type:** Malware Family (Botnet / Information Stealer)
- **Platform:** Cross-platform (Go-based); targets Linux/Cloud environments, Docker containers, and Kubernetes clusters.
- **Capabilities:** Wide-scale scanning (via Shodan integration), RCE exploitation, credential theft, and honeypot evasion.
- **First Seen:** Early July 2026.
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1190 - Exploit Public-Facing Application]
- [T1584.005 - Compromise Infrastructure: Botnet]
- **[TA0007 - Discovery]**
- [T1046 - Network Service Discovery]
- [T1613 - Container and Cloud Infrastructure Discovery]
- **[TA0006 - Credential Access]**
- [T1552.001 - Unsecured Credentials: Files]
- [T1552.004 - Unsecured Credentials: Private Keys]
- **[TA0005 - Defense Evasion]**
- [T1497.001 - Virtualization/Sandbox Evasion: System Checks (Honeypot detection)]
## Functionality
### Core Capabilities
- **AI Service Hunting:** Specifically targets ComfyUI, Ollama, n8n, Open WebUI, Langflow, and Gradio.
- **Credential Exfiltration:** Scans for and steals AWS keys (`~/.aws/config`), Docker credentials (`~/.docker/config.json`), Kubernetes service account tokens, and `.env` files.
- **Dynamic Scanning:** Uses a "Shodan harvester" to feed queues; implements an aggressive resampling strategy where "dangerous" IPs are rescanned every 15 minutes.
- **Multi-Vector Exploitation:** Targets Docker APIs, Jenkins (script/text RCE), Redis, and Telnet (weak passwords).
### Advanced Features
- **MCP Exploitation:** Targets the Model Context Protocol (MCP) using a specific `execute_command` JSON-RPC call to achieve RCE on unauthenticated AI agents.
- **Honeypot Evasion:** Automatically blacklists targets that fail to return results after ten deployment attempts to avoid detection by security researchers.
- **Model Inventorying:** Catalogues accessible AI models (e.g., DeepSeek, GLM, Kimi) tagged with `:cloud` identifiers.
## Indicators of Compromise
- **File Names:** `n4d mesh controller` (string found in source).
- **Network Indicators:**
- C2 Traffic: Communication with various staging endpoints (e.g., `33.8-GO-TITAN` build versions).
- Scanning Sources: Approximately 139 distinct source IPs (as of July 2026).
- **Behavioral Indicators:**
- High volume of outbound JSON-RPC calls (`tools/call` to `execute_command`).
- Mass scanning for ports associated with Ollama (11434), Gradio (7860), and n8n (5678).
- Specific Docker and Jenkins RCE exploit patterns.
## Associated Threat Actors
- **Unknown Operator:** Currently tracked via the "NadMesh" dashboard which claims thousands of successful AWS key captures.
## Detection Methods
- **Signature-based:** Detect the `n4d mesh` controller string and specific Go-build artifacts.
- **Behavioral:**
- Monitoring for unauthorized access to `~/.aws/` and `~/.docker/` directories.
- Alerting on unexpected outbound traffic from AI model runner services to external IP addresses.
- Identification of the `execute_command` string within JSON-RPC payloads on AI-related ports.
## Mitigation Strategies
- **Network Hardening:** Place all AI services (Ollama, ComfyUI, etc.) behind a VPN or robust firewall; do not expose these services directly to the internet.
- **Authentication:** Enforce strict authentication for Model Context Protocol (MCP) servers and Docker APIs.
- **Secret Management:** Avoid storing long-lived AWS keys and service account tokens in environment variables or plain-text config files; use IAM roles or short-lived tokens.
- **Monitoring:** Implement logging for Jenkins `script/text` endpoints and Redis instances.
## Related Tools/Techniques
- **PCPJack:** A similar credential stealer targeting misconfigured cloud services.
- **Cryptojacking campaigns:** Often use similar entry vectors (Docker/Jenkins) but for different end goals.
- **Masscan/Shodan:** Tools utilized by the operator for reconnaissance.