ShadowRay 2.0 Turns AI Clusters into Crypto Botnets TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsVulnerabilities & ThreatsCritical Flaw in Oracle Identity Manager Under ExploitationCritical Flaw in Oracle Identity Manager Under ExploitationbyRob WrightNov 24, 20252 Min ReadApplication SecurityInfamous Shai-hulud Worm Resurfaces From the DepthsInfamous Shai-hulud Worm Resurfaces From the DepthsbyAlexander CulafiNov 24, 20254 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllApplication SecurityLINE Messaging Bugs Open Asian Users to Cyber EspionageLINE Messaging Bugs Open Asian Users to Cyber EspionagebyTara SealsNov 21, 20257 Min ReadEndpoint SecurityChina's 'PlushDaemon' Hackers Infect Routers to Hijack Software UpdatesChina's 'PlushDaemon' Hackers Infect Routers to Hijack Software UpdatesbyNate Nelson, Contributing WriterNov 20, 20253 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryCyber RiskThreat IntelligenceVulnerabilities & ThreatsNewsShadowRay 2.0 Turns AI Clusters into Crypto BotnetsA threat actor is leveraging a flaw in the Ray framework to hijack AI infrastructure worldwide and distribute a self-propagating cryptomining and data theft botnet.Jai Vijayan, Contributing WriterNovember 24, 20254 Min ReadSource: Summit Art Creations via ShutterstockA threat actor is actively exploiting a known, but disputed, remote code execution (RCE) vulnerability in the open source Ray framework to hijack AI compute infrastructure and using it to attack other Ray-based environments.Oligo Security, which detailed the campaign in a recent report, described the attacks as leveraging exposed Ray dashboards and job submission APIs, along with the unresolved vulnerability, dubbed "ShadowRay," to gain full control over clusters.Launchpads for CryptominingOnce inside, the attackers have been turning compromised AI infrastructure into launchpads for large-scale cryptomining, botnet expansion, and further intrusions. According to Oligo, the campaign represents an early instance of threat actors systematically abusing AI systems to attack other AI environments."The attackers, operating under the name IronErn440, have turned Ray's legitimate orchestration features into tools for a self-propagating, globally cryptojacking operation, spreading autonomously across exposed Ray clusters,"Oligo researchers Avi Lumelsky and Gal Elbaz wrote. "What makes this campaign particularly notable is the use of AI to attack AI."Much like Kubernetes for containers, Ray is an open source distributed computing framework that many organizations use to orchestrate AI workloads, including model training, parameter tuning, and large-scale data processing. ShadowRay (CVE-2023- 48022) is a critical (CVSS 9.8) bug in the framework that allows an unauthenticated attacker to remotely execute arbitrary code via its Jobs API on Internet-exposed dashboards. Related:Hack the Hackers: 6 Laws for Staying Ahead of the AttackersOligo previously has reported on attackers leveraging the vulnerability widely to hijack GPU clusters for cryptomining, data theft, and distributed denial of service (DDoS) attacks. Victims have included organizations in sectors like cryptocurrency, education, and biopharma. Anyscale, which maintains Ray, has described the vulnerability as a design choice that presents no risk when Ray is used as intended in controlled, internal environments. The company has provided tooling that gives organizations a way to ensure their Ray environments are properly configured to avoid accidental exposure.The ongoing campaign, which Oligo is tracking as ShadowRay 2.0, appears to have launched in September 2024. What makes it particularly dangerous is the growth in the number of exposed Ray environments since Oligo's first report — from a few thousand to some 230,000 currently. Oligo's scans showed a portion of them to be vulnerable to CVE-2025-48022 and likely already compromised by ShadowRay 2.0 campaign. "The lack of a definitive patch, coupled with the assumption that users would self-secure their clusters, has allowed threat actors to weaponize the same underlying weakness, culminating in the new ShadowRay v2 campaign," Lumelsky and Elbaz said.Related:Switching to Offense: US Makes Cyber Strategy ChangesTwo Attack WavesAccording to Oligo, ShadowRay 2.0 has unfolded in two waves. Initially, attackers used GitLab as their command-and-control (C2) infrastructure, hosting malware payloads generated from large language models and orchestrating real-time updates through the platform's version control features. The attackers leveraged GitLab's CI/CD pipelines to dynamically update and deliver AI-generated code for reconnaissance; they also use XMRig miners disguised as benign processes and for persistence. To maintain stealth, the attackers ensure their payloads do not consume more than 60% of CPU resources when cryptomining, stealing sensitive data like MySQL credentials, cloud tokens, exfilitrating proprietary AI models, source code, and other datasets. The GitLab campaign primarily hit AI startups, research labs, and cloud-hosted environments, according to Oligo.After Oligo reported the operation, GitLab removed the attacker's account and repository Nov. 5. But by Nov. 10, IronErn440 actors had already moved the entire operation to GitHub and started delivering their payloads from that platform. When GitHub removed the repository Nov. 17, the attacks launched a replacement repository on the same day.Related:Cloudflare Blames Outage on Internal Configuration ErrorIn the GitHub phase, the attacks have been using payloads featuring enhanced GPU optimization capabilities to deploy miners for XMRig and Rigel. The attackers have also been going after large, high-value clusters sometimes with thousands of nodes. "Attackers put hands on Internet-facing clusters with thousands of machines (worth $4 million per year) — utilizing 100% CPU on the compromised Ray nodes," the two Oligo researchers said.For organizations rapidly building up their AI infrastructure, the ShadowRay 2.0 campaign underscores how configuration choices in widely used frameworks like Ray can significantly influence their risk exposure. It shows how attackers can hijack misconfigured clusters to take control of critical AI environments, to run unauthorized workloads, mine cryptocurrency, or act as a foothold for further intrusion.Oligo's recommendations for protecting against campaigns like ShadowRay 2.0 is to verify systems are properly configured to avoid accidental exposure. The security vendor also advocates that organizations using Ray follow available best practices to secure their Ray deployments, and add an authorization layer on top of the Ray Dashboard port. "Disputed vulnerabilities create a dangerous gray area for defenders because they are not formally patched," Lumelsky and Elbaz said. "As a result, organizations may unknowingly deploy or run software that remains exploitable in real-world conditions," giving adversaries an opening to attack.About the AuthorJai Vijayan, Contributing WriterJai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.See more from Jai Vijayan, Contributing WriterMore InsightsIndustry Reports2025 State of Threat Intelligence: What it means for your cybersecurity strategyState of AI and Automation in Threat IntelligenceGartner Innovation Insight: AI SOC AgentsGuide to Network Analysis Visibility SolutionsOrganizations Require a New Approach to Handle Investigation and Response in the CloudAccess More ResearchWebinarsIdentity Security in the Agentic AI EraHow AI & Autonomous Patching Eliminate Exposure RisksSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesMore WebinarsYou May Also LikeEditor's ChoiceCybersecurity OperationsDo National Data Laws Carry Cyber-Risks for Large Orgs?Do National Data Laws Carry Cyber-Risks for Large Orgs?byNate Nelson, Contributing WriterNov 19, 20254 Min ReadKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeWebinarsIdentity Security in the Agentic AI EraTues, Dec 9, 2025 at 1pm ESTHow AI & Autonomous Patching Eliminate Exposure RisksOn-DemandSecuring the Hybrid Workforce: Challenges and SolutionsTues, Nov 4, 2025 at 1pm ESTCybersecurity Outlook 2026Virtual Event | December 3rd, 2025 | 11:00am - 5:20pm ET | Doors Open at 10:30am ETThreat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesTuesday, Oct 21, 2025 at 1pm ESTMore WebinarsWhite PapersMissing 88% of Exploits: Rethinking KEV in the AI EraThe Straightforward Buyer's Guide to EDRThe True Cost of a Cyberattack - 2025 EditionHow to be a Better Threat HunterFrom the C-Suite to the SOC: Consolidating the Network Security SolutionsExplore More White PapersDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

The rapid development and deployment of AI infrastructure, spearheaded by frameworks like Ray, has created novel attack vectors for cybercriminals. This summary details the unfolding threat landscape surrounding “ShadowRay 2.0,” a campaign leveraging vulnerabilities in Ray clusters to establish cryptomining botnets and facilitate widespread data theft.

The core of the ShadowRay 2.0 threat emerges from a critical Remote Code Execution (RCE) vulnerability—CVE-2023-48022—within Ray. This flaw allows unauthenticated attackers to gain complete control over Ray clusters, primarily through exposed dashboards and Jobs API endpoints. The vulnerability’s presence, coupled with a lack of immediate patching and a perceived risk assumption among users, has facilitated its exploitation. Jai Vijayan, reporting for TechTarget and Informa Tech’s Digital Business, elucidates how the attackers, operating under the moniker “IronErn440,” have systematically hijacked Ray infrastructure, transforming legitimate orchestration features into self-propagating cryptomining operations.

The campaign’s progression has occurred in two distinct phases. Initially, the attackers utilized GitLab as their command-and-control (C2) infrastructure to dynamically generate and deliver AI-powered malware payloads, incorporating large language model-generated code and leveraging version control features. The attackers utilized GitLab’s Continuous Integration/Continuous Deployment (CI/CD) pipelines to update and deploy these payloads. This initial phase predominantly targeted AI startups, research labs, and cloud-hosted environments. Later, the attackers migrated to GitHub and subsequently to a replacement repository, demonstrating adaptability and a persistent strategy.

The second phase, occurring after initial public reporting, involved significantly enhanced GPU optimization techniques, designed to maximize mining efficiency. Attackers demonstrated a targeted approach, directly compromising large, high-value clusters, some containing thousands of nodes—potentially representing losses of up to $4 million annually. The attackers utilized 100% CPU utilization on the compromised Ray nodes, showcasing a ruthless intent for maximal exploitation. Oligo Security, which originally detailed the campaign, identified the attackers’ focus as primarily targeting large-scale deployments.

A key element of ShadowRay 2.0’s success is the exploitation of Ray’s core functionality. The framework's purpose – to orchestrate AI workloads – is being subverted to create a distributed network of cryptomining operations, capable of expanding autonomously across exposed Ray clusters. This represents a significant shift in attack methodology, moving beyond simple exploitation of known vulnerabilities to actively weaponizing legitimate framework features.

The vulnerability has been described as a design choice that presents no risk when Ray is used as intended in controlled, internal environments. However, this perception, combined with the lack of rapid patching and the potential for misconfiguration, has directly contributed to its exploitation. The campaign’s growth, from a few thousand exposed Ray environments to an estimated 230,000, highlights the scale of the risk enabled by this vulnerability.

Oligo Security's recommendations to mitigate this threat revolve around a fundamental principle: securing Ray environments based on careful configuration. This includes verifying configurations to avoid accidental exposure, implementing an authorization layer on top of the Ray Dashboard port, and adhering to best practices provided by Anyscale, the framework’s maintainer, regarding security configurations. They emphasize the ‘disputed vulnerability’ issue; those are vulnerabilities that are not formally patched, making them potentially exploitable in real-world conditions.

The ShadowRay 2.0 campaign underscores the broader security implications of rapidly evolving AI infrastructure. It’s not just about patching known vulnerabilities; it demands a proactive approach to securing all configuration choices, particularly in frameworks like Ray that are increasingly adopted for orchestrating sophisticated AI workloads. The threat goes beyond simple exposure; it’s about the misuse of legitimate functionality.