An active campaign has been observed targeting internet-exposed instances running **ComfyUI**, a popular stable diffusion platform, to enlist them into a cryptocurrency mining and proxy botnet. "A purpose-built Python scanner continuously sweeps major cloud IP ranges for vulnerable targets, automatically installing malicious nodes via **ComfyUI-Manager** if no exploitable node is already present," **Censys** security researcher Mark Ellzey said in a report published Monday. ### Exploiting Misconfigurations for Remote Code Execution The attack activity systemically scans for exposed ComfyUI instances and exploits a misconfiguration that allows remote code execution on unauthenticated deployments through custom nodes. These custom nodes, intended for extending ComfyUI's functionality, are being weaponized. Upon successful exploitation, the compromised hosts are added to a cryptomining operation that mines Monero via XMRig and Conflux via lolMiner, as well as to a Hysteria V2 botnet. Both of them are centrally managed through a Flask-based command-and-control (C2) dashboard.  Data from attack surface management platforms shows that there are more than 1,000 publicly-accessible ComfyUI instances. While not a huge number, it's sufficient for a threat actor to run opportunistic campaigns to reap financial gains. ### Discovery and Tools of the Attack **Censys** discovered the campaign last month after identifying an open directory on `77.110.96[.]200`, an IP address associated with a bulletproofing hosting services provider, **Aeza Group**. The directory contained a previously undocumented set of tools to pull off the attacks. This includes two reconnaissance tools to enumerate exposed ComfyUI instances across cloud infrastructure, identify those that have ComfyUI-Manager installed, and shortlist those that are susceptible to the code execution exploit. One of the two scanner Python scripts also functions as an exploitation framework that weaponizes ComfyUI's custom nodes to achieve code execution. This technique, some aspects of which were documented by **Snyk** in December 2024, takes advantage of the fact that some custom nodes accept raw Python code as input and run it directly without requiring any authentication. As a result, an attacker can scan exposed ComfyUI instances for specific custom node families that support arbitrary code execution, effectively turning the service into a channel for delivering attacker-controlled Python payloads. Some of the custom node families that the attack particularly looks for are listed below: * Vova75Rus/ComfyUI-Shell-Executor * filliptm/ComfyUI_Fill-Nodes * seanlynch/srl-nodes * ruiqutech/ComfyUI-RuiquNodes "If none of the target nodes are present, the scanner checks whether ComfyUI-Manager is installed," Censys said. "If available, it installs a vulnerable node package itself, then retries exploitation."  ### Persistence and Evasion Techniques It's worth noting that "ComfyUI-Shell-Executor" is a malicious package created by the attacker to fetch a next-stage shell script ("ghost.sh") from the aforementioned IP address. Once code execution is obtained, the scanner removes evidence of the exploit by clearing the ComfyUI prompt history. A newer version of the scanner also incorporates persistence mechanisms that cause the shell script to be downloaded every six hours and the exploit workflow to be re-executed every time ComfyUI is started. The shell script disables shell history, kills competing miners, launches the miner process, and uses the `LD_PRELOAD` hook to hide a watchdog process that ensures the miner process is revived in the event it gets terminated. In addition, the miner program is copied to multiple locations so that even if the primary install directory gets wiped, it can be launched from one of the fallback locations. A third mechanism the malware uses to ensure persistence is the use of the `chattr +i` command to lock the miner binaries and prevent them from being deleted, modified, or renamed, even by the root user. "There is also dedicated code targeting a specific competitor, 'Hisana' (which is referenced throughout the code), which appears to be another mining botnet," Censys explained. "Rather than just killing it, ghost.sh overwrites its configuration to redirect Hisana's mining output to its own wallet address, then occupies Hisana’s C2 port (10808) with a dummy Python listener so Hisana can't restart." ### Command and Control and Proxy Network Expansion The infected hosts are commandeered by means of a Flask-based C2 panel, which allows the operator to push instructions or deploy additional payloads, including a shell script that installs Hysteria V2 with the likely goal of selling compromised nodes as proxies. Further analysis of the attacker's shell command history has revealed an SSH login attempt as root to the IP address `120.241.40[.]237`, which has been linked to an ongoing worm campaign targeting exposed Redis database servers. "Much of the tooling in this repository appears hastily assembled, and the overall tactics and techniques might initially suggest unsophisticated activity," Censys said. "Specifically, the operator identifies exposed ComfyUI instances running custom nodes, determines which of those nodes expose unsafe functionality, and then uses them as a pathway to remote code execution." "The infrastructure accessed by the operator further supports the idea that this activity is part of a broader campaign focused on discovering and exploiting exposed services, followed by the deployment of custom tooling for persistence, scanning, or monetization." ### Recent Botnet Activity Surge The discovery coincides with the emergence of multiple botnet campaigns in recent weeks: * Exploitation of command injection vulnerabilities in n8n (**CVE-2025-68613**) and Tenda AC1206 routers (**CVE-2025-7544**) to add them to a Mirai-based botnet known as **Zerobot**. * Exploitation of vulnerabilities in Apache ActiveMQ (**CVE-2023-46604**), Metabase (**CVE-2023-38646**), and React Server Components (**CVE-2025-55182** aka React2Shell) to deliver **Kinsing**, a persistent malware used for cryptocurrency mining and launching Distributed Denial of Service (DDoS) attacks. * Exploitation of a suspected zero-day vulnerability in fnOS Network Attached Storage (NAS) to target internet-exposed systems and implant them with a DDoS malware called Netdragon. "NetDragon establishes an HTTP backdoor interface on compromised devices, enabling attackers to remotely access and control the infected systems," QiAnXin XLab said. "It tampers with the 'hosts' file to hijack the official Feiniu NAS system update domain."