AN active campaign has been observed targeting internet-exposed ComfyUI instances to enlist them into a cryptocurrency mining and proxy botnet. A purpose-built Python scanner sweeps major cloud IP ranges to automatically install malicious nodes via ComfyUI-Manager if no exploitable node is present, with exploitation capable of remote code execution through custom nodes.
The compromised hosts are added to a cryptomining operation that mines Monero via XMRig and Conflux via lolMiner, and to a Hysteria V2 botnet, all managed from a Flask-based C2 dashboard. Data from attack surface platforms shows there are more than 1,000 publicly-accessible ComfyUI instances, a figure Censys described as sufficient for opportunistic gains.
The discovery followed identification of an open directory on 77.110.96[.]200, an Aeza Group IP address, containing a toolkit used to pull off these attacks, and the campaign involves reconnaissance tools that enumerate exposed instances and identify those with ComfyUI-Manager installed. “There is also dedicated code targeting a specific competitor, 'Hisana',” according to Censys, which the report notes can redirect Hisana’s mining output and occupy its C2 port.