Listen to this Post

The cybersecurity landscape faces a new wave of danger with ShadowRay 2.0, a global campaign hijacking exposed Ray Clusters and turning them into a self-propagating cryptomining botnet. Leveraging an unpatched vulnerability in the Ray open-source framework, attackers are now targeting AI and Python workloads on distributed computing clusters accessible over the public internet. With AI-generated payloads and sophisticated stealth techniques, the threat actor behind this campaign demonstrates both technical ingenuity and persistence, raising alarms for developers and enterprises relying on Ray for scalable AI applications.
ShadowRay 2.0: Campaign Overview
ShadowRay 2.0 represents the latest evolution of attacks first observed between September 2023 and March 2024. Researchers at runtime security firm Oligo have identified that the threat actor, known as IronErn440, exploits a long-standing vulnerability (CVE-2023-48022) in Ray’s Jobs API, which allows unauthenticated job submissions. Ray was originally designed to operate in trusted, strictly-controlled network environments, leaving many publicly accessible clusters vulnerable. Today, over 230,000 Ray servers are exposed online, a dramatic increase from the initial few thousand observed in the first ShadowRay discovery.
The campaign unfolds in multiple waves. The first targeted GitLab for payload delivery and ended on November 5, while the second, leveraging GitHub repositories, started on November 17 and remains ongoing. Using AI-generated payloads, attackers run multi-stage Bash and Python scripts that propagate malware across cluster nodes. Beyond cryptomining, the payloads facilitate credential theft, data exfiltration, and distributed denial-of-service (DDoS) attacks.
The crypto-mining module is designed to maximize efficiency while avoiding detection. XMRig is used to mine Monero, utilizing only 60% of processing power. The malware ensures exclusivity on compromised clusters by terminating rival miners and blocking other mining pools. Attackers maintain persistence via cron jobs and systemd modifications, while reverse Python shells enable interactive control, providing access to MySQL credentials, AI models, and source code.
Payload and Attack Mechanics
Oligo’s analysis indicates that large language models likely generated the malicious payloads. Evidence includes peculiar code structures, redundant docstrings, and nonfunctional echoes within the scripts. These AI-generated payloads evaluate CPU and GPU resources before initiating mining operations, targeting high-performance nodes for maximum profitability. The attackers even show a preference for nodes with root privileges, highlighting the meticulous optimization of the botnet.
The malware also incorporates strategic defense evasion. Files are placed in deceptive locations, processes are masked with benign names like ‘dns-filter,’ and updates are regularly pulled from GitHub repositories via cron jobs. The payload can launch Sockstress-based DDoS attacks and is capable of autonomous cluster-to-cluster propagation, making containment extremely challenging.
Defending Against ShadowRay 2.0
Currently, there is no patch for CVE-2023-48022. Ray users are advised to deploy clusters in trusted environments and adhere to security best practices. Measures include:
Restricting access using firewalls and security group policies.
Implementing authorization layers on the Ray Dashboard port (8265).
Continuous monitoring to detect anomalous behavior.
Segregating public-facing clusters from sensitive workloads.
Anyscale has issued guidance emphasizing secure deployment practices, but the sheer volume of exposed clusters highlights the risk of widespread compromise if proactive steps are not taken immediately.
What Undercode Say:
ShadowRay 2.0 underscores a critical shift in threat tactics—leveraging AI to scale attacks against AI infrastructure. Traditional security assumptions, such as the notion that distributed computing clusters operate in isolated, trusted environments, no longer hold. Attackers now exploit both human oversight and system vulnerabilities, converting high-performance computing clusters into stealthy, autonomous botnets.
The campaign highlights the dual threat of financial and operational damage. Monero mining directly monetizes compromised nodes, while the exfiltration of proprietary AI models and credentials could undermine competitive advantage and lead to secondary attacks. Furthermore, the use of AI to generate payloads represents a meta-threat: defenders face automated, adaptive, and obfuscated malware that can evolve faster than traditional countermeasures.
Another concern is the self-propagating nature of ShadowRay 2.0. By leveraging cluster orchestration features, attackers transform each compromised node into a propagation hub, rapidly scaling infections without additional infrastructure. This design increases both the difficulty of containment and the potential damage radius, effectively turning a single exposed node into a network-wide vulnerability.
From a defense perspective, current strategies—firewall restrictions, access controls, and monitoring—are reactive. Proactive mitigation requires redesigning deployment architecture, segmenting workloads, and integrating AI-driven anomaly detection to identify suspicious patterns before they escalate. The ShadowRay 2.0 case may also set a precedent for future AI-targeted attacks, where automated malware leverages both human and machine intelligence to optimize exploitation.
Finally, the campaign stresses the importance of maintaining a minimal attack surface. Publicly accessible clusters, outdated software, and weak operational security combine to create a perfect storm. Organizations that prioritize secure deployment, layered authentication, and continuous auditing can reduce exposure, but the threat landscape is evolving, requiring constant vigilance and innovation in defensive measures.
🔍 Fact Checker Results
✅ ShadowRay 2.0 exploits CVE-2023-48022 to hijack Ray Clusters.
✅ Attackers use AI-generated payloads and XMRig for Monero mining.
❌ There is currently no official patch for the vulnerability, only best practice mitigations.
📊 Prediction
ShadowRay 2.0 signals a growing trend of AI-assisted malware in cloud and AI infrastructure. 🚨 Expect automated attacks to become more sophisticated, with self-propagating botnets targeting distributed computing frameworks. AI-generated payloads will likely increase both in frequency and complexity, making detection and mitigation a moving target. Enterprises and cloud providers will need AI-driven defenses, continuous monitoring, and strict access controls to prevent similar campaigns from inflicting large-scale financial and operational damage. 💻💰
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: www.bleepingcomputer.com
Extra Source Hub (Possible Sources for article):
https://www.reddit.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon




