LCyW uCBjb

ComfyUI Servers Hijacked for Cryptomining, Proxy Botnet Ops

Hackers are aggressively hijacking Internet-exposed ComfyUI servers and converting them into high‑value cryptomining rigs and proxy botnet nodes, abusing weakly secured AI image-generation setups for long‑term monetization.

More than 1,000 ComfyUI servers are currently reachable on the public Internet, even after filtering out honeypots, giving attackers a small but lucrative attack surface concentrated on GPU‑rich cloud infrastructure.

Once compromised, hosts are folded into two revenue streams: Monero and Conflux cryptomining, and a Hysteria v2–based proxy botnet, both coordinated through a Flask-powered command‑and‑control (C2) panel.

ComfyUI is a node‑based interface for Stable Diffusion and other AI models, commonly deployed on high‑end cloud GPUs and often left exposed without authentication for ease of remote access.

Censys ARC researchers uncovered an active campaign that systematically scans for unauthenticated ComfyUI instances and exploits their custom node ecosystem to gain remote code execution (RCE).

Censys search for ComfyUI (because there are a LOT of ComfyUI honeypots, and looking over the attackers’ logs, they ran into many themselves), we still find over 1,000 Internet-exposed instances.

 Internet-wide exploitation (Source : Censys).
 Internet-wide exploitation (Source : Censys).

The attackers focus on ComfyUI’s extensible custom node ecosystem, where some nodes are designed to execute arbitrary Python code passed in workflow parameters.

By abusing nodes such as FL_CodeNode, SrlEval, and similar “code execution” components, the scanner can submit a crafted workflow to the /prompt endpoint and run attacker‑controlled Python with the full privileges of the ComfyUI process.

This effectively turns misconfigured ComfyUI deployments into RCE endpoints without needing a traditional software vulnerability.

ComfyUI Servers Hijacked

The campaign’s backbone is a purpose‑built Python scanner that continuously sweeps curated IP ranges for AWS, GCP, Oracle Cloud, and other major providers, handling hundreds of concurrent checks every 3–4 hours.

Simple scanning (Source : Censys).
Simple scanning (Source : Censys).

For each live ComfyUI service, the tool queries /object_info, identifies dangerous custom nodes, and, if found, immediately pushes a malicious workflow that downloads and runs a second‑stage shell script from attacker infrastructure.

If no exploitable node exists but ComfyUI‑Manager is installed, the scanner uses Manager APIs to install a malicious package (ComfyUI‑Shell‑Executor) via pip, reboot the service, and then reattempt the same RCE path.

Version 8.2 of the scanner further adds two backdoors: a fake “GPU Performance Monitor” node that re-fetches the payload every six hours and a poisoned default startup workflow that auto‑executes the exploit on every ComfyUI restart.

The downloaded second stage, ghost.sh (GHOST v5.1) is a multi‑component loader and miner that focuses on stealth, resilience, and competition with other botnets.

NODES_TO_INSTALL gained a new entry at the top, and the install logic became a little different, trying four different methods in sequence for each package.

ComfyUI nodes (Source : Censys).
ComfyUI nodes (Source : Censys).

It prefers fileless execution using memfd_create, launches XMRig and lolMiner under names mimicking Linux kernel threads, and hides artifacts in innocuous‑looking directories under /var/tmp or user cache paths.

On systems with root access, it compiles or fetches an LD_PRELOAD rootkit that hooks readdir(), causing tools like ps, top, and ls to skip miner processes and files silently.

Persistence is reinforced through a watchdog process monitoring the install directory, scattered backup copies with backdated timestamps, and chattr +i flags to block deletion, making simple process kills or reboots ineffective.

Cryptomining and proxy botnet

Compromised machines mine Monero via XMRig and Conflux via lolMiner, primarily against Kryptex mining pools using attacker‑controlled wallets, with a fallback to an operator‑run pool endpoint hosted on the same infrastructure.

Kryptex stats (Source : Censys).
Kryptex stats (Source : Censys).

A Flask-based C2 dashboard on port 3301 tracks each worker by a unique “vm” ID derived from the host’s name, recording CPU and GPU hashrates, pool, shares, hardware inventory, and OS details in an embedded SQLite database.

The same panel also manages a Hysteria v2 VPN fleet: a companion script installs Hysteria on victims, sets up TLS masquerading as bing.com, and registers each node so its URI can be exported in bulk supporting potential resale of these exits as paid proxy access.

Both mining and proxy components share the same C2 URL and credentials, underscoring that the primary goals are steady cryptomining income and monetizable network access rather than one‑off exploitation.

Defenders should treat ComfyUI as production software, not a personal lab tool: never expose it directly to the Internet without strong authentication and TLS.

Disable or tightly restrict dangerous custom nodes that execute arbitrary code, and monitor for unexpected packages such as ComfyUI‑Shell‑Executor or suspicious “performance” utilities.

Environment owners should also scan for known indicators: hidden directories under /var/tmp or user caches, kernel‑like process names with unusual hex suffixes, unexplained Kryptex mining traffic, and unknown Hysteria v2 listeners masquerading as HTTPS.

Finally, because v8.2 introduces backdoored nodes and startup workflows, remediation should include reviewing ComfyUI custom_nodes and userdata/workflows directories in addition to standard host‑level malware cleanup.

Related Articles

Back to top button