ComfyUI Servers Hijacked for Monero Mining and Proxy Botnet

Attackers are systematically compromising internet-exposed ComfyUI installations to mine cryptocurrency and build a proxy botnet. Security researchers identified over 1,000 vulnerable instances running the popular Stable Diffusion platform, with a Python-based scanner continuously sweeping cloud IP ranges for new targets.

The campaign exploits a misconfiguration that allows remote code execution through custom nodes—no authentication required. Once compromised, servers mine Monero and Conflux while also joining a Hysteria V2 proxy network controlled through a Flask-based C2 dashboard.

How the Attack Works

ComfyUI is a node-based interface for running Stable Diffusion image generation. Its power comes from extensibility—users can install custom nodes that add new capabilities. But that same extensibility creates attack surface when deployments are exposed to the internet without authentication.

The attacker's Python scanner identifies exposed ComfyUI instances and checks for vulnerable custom node packages:

• Vova75Rus/ComfyUI-Shell-Executor (malicious package created by attacker)
• filliptm/ComfyUI_Fill-Nodes
• seanlynch/srl-nodes
• ruiqutech/ComfyUI-RuiquNodes

These node families expose functionality that enables command execution. If none are present but ComfyUI-Manager is installed, the scanner automatically deploys a vulnerable package to create an entry point.

Once the scanner identifies an exploitable node, it executes a shell script named "ghost.sh" that:

1. Disables shell history to hide activity
2. Kills competing cryptominers (including one called "Hisana")
3. Deploys XMRig for Monero mining
4. Deploys lolMiner for Conflux mining
5. Uses LD_PRELOAD hooks to hide a watchdog process
6. Joins the system to a Hysteria V2 proxy botnet

Persistence That's Hard to Kill

The campaign uses aggressive persistence mechanisms that survive reboots and cleanup attempts:

• Scheduled reinfection - The shell script downloads every six hours via cron
• Startup hook - Exploit workflow re-executes whenever ComfyUI starts
• Hidden watchdog - LD_PRELOAD conceals the process from standard tools
• File locking - chattr +i makes miner binaries immutable
• Scattered binaries - Miners replicated across multiple filesystem locations

Even if defenders find and remove the miner, the persistence mechanisms reinstall it within hours. The six-hour download window and startup hook create multiple reinfection vectors.

The attackers also hijack competing miners rather than just killing them. If they find "Hisana" (another cryptomining campaign) running on a compromised system, they redirect its configuration to mine for them instead.

Infrastructure and IOCs

The campaign operates from bulletproof hosting:

• C2 Server: 77.110.96[.]200 (Aeza Group infrastructure)
• Secondary IOC: 120.241.40[.]237 (linked to previous Redis worm campaigns)

Aeza Group is a hosting provider known for tolerating abuse complaints. The choice of bulletproof infrastructure suggests operators expect their C2 to be reported and aren't concerned about takedowns.

Organizations should block these IPs at their perimeter and monitor for outbound connections. The Hysteria V2 protocol uses QUIC, so standard port-based blocking may miss traffic—deep packet inspection or endpoint monitoring is more reliable.

Scale of Exposure

Researchers found more than 1,000 ComfyUI servers publicly accessible after filtering out honeypots. The actual number of vulnerable instances is likely higher—many sit behind residential IPs or cloud NATs that standard scanning misses.

ComfyUI deployments have proliferated as organizations experiment with AI image generation. The software is legitimately useful, but operational security often lags adoption. Teams spin up instances for testing, expose them temporarily "just for this project," and forget to secure or decommission them.

This pattern mirrors what we've seen with other AI infrastructure attacks—rapid adoption outpaces security hardening. The TeamPCP cloud worm similarly targeted exposed development tools, using them as stepping stones into cloud environments.

Who's at Risk

Any organization running ComfyUI with:

• Internet exposure without authentication
• Custom nodes that allow shell access
• ComfyUI-Manager that enables remote package installation

The third condition is particularly concerning. Even if you don't have vulnerable nodes installed, ComfyUI-Manager gives attackers a mechanism to add them. An exposed instance with just the manager is exploitable.

Creative teams, marketing departments, and R&D groups commonly deploy ComfyUI for content generation. These aren't traditional IT workloads, so they often escape security oversight. If your organization uses Stable Diffusion tools, someone probably deployed ComfyUI somewhere.

Mitigation Steps

1. Audit for exposed instances - Scan your external IP ranges for ComfyUI on default ports
2. Require authentication - Don't expose ComfyUI without proper access controls
3. Restrict custom node installation - Remove ComfyUI-Manager or limit its functionality
4. Isolate AI workloads - Keep image generation infrastructure off production networks
5. Monitor for mining activity - Watch for XMRig/lolMiner processes and unusual CPU utilization
6. Block C2 infrastructure - Add known IOCs to firewall rules

For compromised systems, a clean reinstall is safer than attempting cleanup. The persistence mechanisms are extensive enough that missed artifacts will reinfect the host. Image the system for forensics, wipe it, and rebuild with authentication enabled.

Organizations using AI infrastructure should review our malware defense guide for broader protection strategies against similar opportunistic attacks.