Full Report
An active campaign has been observed targeting internet-exposed instances running ComfyUI, a popular stable diffusion platform, to enlist them into a cryptocurrency mining and proxy botnet. "A purpose-built Python scanner continuously sweeps major cloud IP ranges for vulnerable targets, automatically installing malicious nodes via ComfyUI-Manager if no exploitable node is already
Analysis Summary
# Incident Report: ComfyUI Cryptomining and Proxy Botnet Campaign
## Executive Summary
An active campaign is targeting internet-exposed ComfyUI instances to enlist them into a dual-purpose cryptomining and proxy botnet. Attackers use a custom Python scanner to identify unauthenticated deployments and exploit "custom nodes" to achieve Remote Code Execution (RCE). Compromised systems are forced to mine Monero and Conflux while acting as Hysteria V2 botnet nodes, managed via a centralized Flask C2 dashboard.
## Incident Details
- **Discovery Date:** March 2026
- **Incident Date:** Ongoing (Reported April 07, 2026)
- **Affected Organization:** Multiple (Global)
- **Sector:** Technology / Artificial Intelligence / Cloud Computing
- **Geography:** Global (targeting major cloud IP ranges)
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing active campaign.
- **Vector:** Exploitation of unauthenticated, internet-exposed ComfyUI web interfaces.
- **Details:** Attackers sweep major cloud IP ranges using a Python-based reconnaissance tool. They target instances where "custom nodes" are installed that lack authentication and allow arbitrary Python code execution.
### Lateral Movement
- **Details:** If ComfyUI-Manager is present but no exploitable nodes exist, the attacker automatically installs a malicious or vulnerable node package (e.g., `ComfyUI-Shell-Executor`) to create an execution path.
### Data Exfiltration/Impact
- **Details:** Unauthorized resource consumption for mining Monero (XMRig) and Conflux (lolMiner). Enrollment of host into a Hysteria V2 proxy botnet.
### Detection & Response
- **How it was discovered:** Censys researchers identified an open directory on a known "bulletproof" hosting IP (`77.110.96[.]200`) containing the attacker's toolset.
- **Response actions taken:** Security researchers published indicators and methodologies; users are advised to restrict access to ComfyUI instances.
## Attack Methodology
- **Initial Access:** Scanning for exposed ComfyUI ports (default 8188) and exploiting custom nodes that accept raw Python input.
- **Persistence:** Implementation of a shell script (`ghost.sh`) that re-downloads every 6 hours; exploit workflows re-execute on ComfyUI startup; use of `chattr +i` to make binaries immutable.
- **Defense Evasion:** Clearing ComfyUI prompt history; killing "competitor" miners; using `LD_PRELOAD` hooks to hide watchdog processes; disabling shell history.
- **Discovery:** Python scanners specifically check for node families: `ComfyUI-Shell-Executor`, `ComfyUI_Fill-Nodes`, `srl-nodes`, and `ComfyUI-RuiquNodes`.
- **Impact:** System resource hijacking for financial gain (cryptojacking) and network bandwidth exploitation (proxy botnet).
## Impact Assessment
- **Financial:** High operational costs for victims due to 100% CPU/GPU utilization in cloud environments.
- **Data Breach:** Exposure of local files and proprietary AI workflows/models on the compromised server.
- **Operational:** Severe performance degradation of AI rendering tasks; systems becomes part of a malicious botnet.
- **Reputational:** Hosting of malicious proxy traffic can lead to IP blacklisting and legal scrutiny.
## Indicators of Compromise
- **Network Indicators:**
- `77.110.96[.]200` (C2 and Tooling Host)
- Flask-based C2 dashboard communications
- **File Indicators:**
- `ghost.sh`
- `ComfyUI-Shell-Executor` (Malicious custom node)
- Presence of XMRig or lolMiner binaries in unexpected directories.
- **Behavioral Indicators:**
- Sudden spikes in CPU/GPU usage.
- Presence of the `chattr +i` flag on system binaries.
- ComfyUI prompt history being unexpectedly cleared.
## Response Actions
- **Containment:** Immediately disconnect exposed ComfyUI instances from the public internet or place them behind a VPN/Firewall.
- **Eradication:** Remove malicious custom nodes; delete identified mining binaries; clear `LD_PRELOAD` configurations; audit/reset `chattr` attributes on files.
- **Recovery:** Re-image affected instances to ensure no persistent backdoors remain; update ComfyUI and all nodes.
## Lessons Learned
- **Key Takeaways:** Running development or experimental AI software (like ComfyUI) with default settings on the public internet is extremely high-risk.
- **Vulnerabilities:** The "Custom Node" ecosystem in stable diffusion tools lacks a unified security permission model, allowing unauthenticated RCE by design in many cases.
## Recommendations
- **Access Control:** Never expose ComfyUI to the public internet without a reverse proxy requiring authentication (NGINX basic auth, Cloudflare Access, or VPN).
- **Network Segmenting:** Limit the AI server's egress traffic to prevent it from reaching C2 servers or joining botnets.
- **Monitoring:** Implement file integrity monitoring (FIM) and resource alerts to detect cryptomining early.