Oligo Security has warned of ongoing attacks exploiting a two-year-old security flaw in the Ray open-source artificial intelligence (AI) framework to turn infected clusters with NVIDIA GPUs into a self-replicating cryptocurrency mining botnet.
The activity, codenamed ShadowRay 2.0, is an evolution of a prior wave that was observed between September 2023 and March 2024. The attack, at its core, exploits a critical missing authentication bug (CVE-2023-48022, CVSS score: 9.8) to take control of susceptible instances and hijack their computing power for illicit cryptocurrency mining using XMRig.
The vulnerability has remained unpatched due to a “long-standing design decision” that’s consistent with Ray’s development best practices, which requires it to be run in an isolated network and act upon trusted code.
The campaign involves submitting malicious jobs, with commands ranging from simple reconnaissance to complex multi-stage Bash and Python payloads, to an unauthenticated Ray Job Submission API (“/api/jobs/”) on exposed dashboards. The compromised Ray clusters are then used in spray and pray attacks to distribute the payloads to other Ray dashboards, creating a worm that can essentially spread from one victim to another.
The attacks have been found to leverage GitLab and GitHub to deliver the malware, using names like “ironern440-group” and “thisisforwork440-ops” to create repositories and stash the malicious payloads. Both accounts are no longer accessible. However, the cybercriminals have responded to takedown efforts by creating a new GitHub account, illustrating their tenacity and ability to quickly resume operations.
The payloads, in turn, leverage the platform’s orchestration capabilities to pivot laterally to non-internet-facing nodes, spread the malware, create reverse shells to attacker-controlled infrastructure for remote control, and establish persistence by running a cron job every 15 minutes that pulls the latest version of the malware from GitLab to re-infect the hosts.
The threat actors “have turned Ray’s legitimate orchestration features into tools for a self-propagating, globally cryptojacking operation, spreading autonomously across exposed Ray clusters,” researchers Avi Lumelsky and Gal Elbaz said.
The campaign has likely made use of large language models (LLMs) to create the GitLab payloads. This assessment is based on the malware’s “structure, comments, and error handling patterns.”
The infection chain involves an explicit check to determine if the victim is located in China, and if so, serves a region-specific version of the malware. It’s also designed to eliminate competition by scanning running processes for other cryptocurrency miners and terminating them – a tactic widely adopted by cryptojacking groups to maximize the mining gains from the host.
Another notable aspect of the attacks is the use of various tactics to fly under the radar, including disguising malicious processes as legitimate Linux kernel worker services and limiting CPU usage to around 60%. It’s believed that the campaign may have been active since September 2024.
While Ray is meant to be deployed within a “controlled network environment,” the findings show that users are exposing Ray servers to the internet, opening a lucrative attack surface for bad actors and identifying which Ray dashboard IP addresses are exploitable using the open-source vulnerability detection tool interact.sh. More than 230,500 Ray servers are publicly accessible.
Anyscale, which originally developed Ray, has released a “Ray Open Ports Checker” tool to validate the proper configuration of clusters to prevent accidental exposure. Other mitigation strategies include configuring firewall rules to limit unauthorized access and adding authorization on top of the Ray Dashboard port (8265 by default).
“Attackers deployed sockstress, a TCP state exhaustion tool, targeting production websites. This suggests the compromised Ray clusters are being weaponized for denial-of-service attacks, possibly against competing mining pools or other infrastructure,” Oligo said.
“This transforms the operation from pure cryptojacking into a multi-purpose botnet. The ability to launch DDoS attacks adds another monetization vector – attackers can rent out DDoS capacity or use it to eliminate competition. The target port 3333 is commonly used by mining pools, suggesting attacks against rival mining infrastructure.”
