ComfyIU exposed when AI experimentation generates a botnet of mining and proxies

A new malicious campaign has shown how a tool designed to experiment with stable dissemination models can become a gateway for large-scale criminal operations. Security researchers identified a scanner written in Python that sweep address blocks into cloud suppliers looking for instances of ComfyIU publicly exposed, and that automatically takes advantage of an unsafe configuration in so-called "custom nodes" to run remote code and convert those machines into nodes of a botnet dedicated to cryptomoneda mining and proxies rental.

ComfyIU, whose code and repository are found in GitHub, is a popular interface for stable flow workflows. Their flexibility - the possibility of adding custom nodes that run Python code - is precisely what the attackers exploit. Some nodes families accept code entries without an authentication barrier, allowing a malicious actor to inject payloads and run commands in the system that houses ComfyUI.

According to the analysis, the operator does not just search for already vulnerable nodes: if you detect that the instance has ComfyUI-Manager installed, you can use it to deploy a malicious package of your own and so get the attack vector. From there, the committed equipment is used to mine cryptomoneda with tools known as XMRig(Monkey) and lolMiner(in this case for Conflux), and it is also prepared as part of a V2 Hysteria network to offer nodes as proxies. Control and remote management of infected equipment is done by a panel based on Flask, which facilitates sending commands and installing additional loads.

The mechanisms of persistence described by the analysers are particularly aggressive. The installer regularly downloads a script called "ghost.sh," which disables the shell history to erase prints, ends rival mining processes, launches the mining, and uses techniques such as LD _ PRELOAD to hide a vigilant process that relays the mining if it stops. In addition, malware copies the binaries to multiple locations and uses file system attributes (e.g. by chattr + i) to prevent even root user from deleting or modifying the threat files.

A striking detail of the report is the operator's explicit intention to neutralize competition: sometimes the script not only kills other miners, but overwrites the configuration of a competitor botnet - mentioned internally under the name "Hisana" - to redirect its mining production to the attacker's purse and occupy its port of control. This kind of behavior indicates that, beyond opportunistic use, there is an interest in maximizing and ensuring the economic benefits of the operation.

The scale of the problem is not massive in absolute terms: the data on the exposed surface show just over a thousand instances of ComfyUI accessible from the Internet. But that figure is sufficient for automated campaigns that seek vulnerable targets in cloud infrastructure and reuse resources for profit. The researchers even located an accessible directory in an IP associated with accommodation services categorized as "bulletproof," in which the collection of tools used to identify, exploit and keep hosts engaged was hosted.

This research connects with a broader trend: in recent weeks and months, multiple waves of botnets have been observed that combine exploitation of public vulnerabilities, mass scans and relatively modest but automatic tools to monetize other resources. Campaigns that take advantage of automation software, IoT devices and exposed services have been growing, and criminals re-use code and tactics - such as XMRig mining or upgrade settings modifications - to increase their resilience.

The good news is that mitigation measures are clear and enforceable. First of all, do not expose ComfyUI instances directly to the Internet unless there is a robust authentication layer and well-configured access controls. For those who must necessarily have remote access, encapsulate the service after a VPN, an authenticated tunnel or firewall rules that limit the allowed PIs greatly reduces the risk. It is crucial to disable or audit the custom nodes that accept arbitrary code; remove ComfyUI-Manager if not necessary and review the inventory of installed packages prevents an attacker from installing malicious components automatically.

Monitoring is also relevant: alerts on unusual processes, persistent outgoing connections to suspicious PIs, binary file changes or the emergence of unauthorized scheduled tasks should be investigated immediately. In addition, keeping the operating system and units up to date and applying integrity controls on the binaries can help to detect and reverse malicious modifications. For cloud equipment, using official images, restrictive IAM policies and regular public exposure scans should be part of basic hygiene.

If you want to go into the above technical components, it is advisable to review the sources of the above-mentioned projects directly - for example the official repository of ComfyIU the documentation of XMRig and the code lolMiner- and follow the analyses published by security intelligence providers as Censys or by companies engaged in the discovery and mitigation of threats. Research is also needed on how "custom nodes" can open up remote-run vectors, a subject that has been dealt with by security teams in previous analyses.

The episode reminds us again that convenience and experimentation in IA and ML tools can come at a cost if safety practices are not incorporated from the design. Platforms that allow for dynamic code execution should be considered high risk if they are exposed without authentication and without strict implementation controls. For engineering managers and equipment, the recommendation is clear: review configurations, limit public surface and apply early detection before a research tool ends up financing an attacker.