ComfyUI Servers Compromised for Cryptomining and Botnet Operations

Severity: High (Score: 74.0)

Sources: Heise.De, Gbhackers

Summary

A significant wave of cyberattacks has targeted ComfyUI servers, converting them into a botnet for cryptomining and proxy operations. Researchers from Censys reported that since March 12, 2026, over 1,000 publicly accessible ComfyUI instances have been exploited by attackers. The attackers utilize a Python-based scanner to identify vulnerable servers and install malicious nodes without authentication. These compromised servers mine cryptocurrencies like Monero and Conflux, while being controlled via a Flask-based command-and-control dashboard. The malware employed is sophisticated, featuring evasion techniques and multiple revival mechanisms that persist through system reboots. ComfyUI, an open-source toolkit for AI image generation, is particularly vulnerable due to misconfigurations allowing public access. Administrators are advised to restrict access to these servers to internal networks or VPNs to mitigate risks. Detailed indicators of compromise (IOCs) have been provided for detection and prevention efforts. Key Points: • Over 1,000 ComfyUI servers have been compromised for cryptomining and proxy operations. • Attackers exploit misconfigurations to install malware without authentication. • Sophisticated malware includes mechanisms to evade detection and persist after removal.

Key Entities

• Botnet (attack_type)
• Malware (attack_type)
• Ghost.sh (malware)
• Hysteria V2 (malware)
• XMRig (malware)
• T1014 - Rootkit (mitre_attack)
• T1046 - Network Service Discovery (mitre_attack)
• T1055 - Process Injection (mitre_attack)
• T1059.006 - Python (mitre_attack)
• T1071.001 - Web Protocols (mitre_attack)
• ComfyUI (platform)
• Flask (platform)
• LolMiner (tool)