A new wave of attacks targeting exposed AI infrastructure highlights the growing trend of adversaries using artificial intelligence (AI) itself as a threat surface. Malicious actors are actively compromising unsecured Ray clusters—an increasingly popular open source framework for distributed AI computing—and turning them into launchpads for complex, self-replicating botnets.
These botnets are not only capable of mining cryptocurrency but are also used to exfiltrate data and execute distributed denial-of-service (DDoS) attacks. The campaign reveals a concerning convergence: attackers abusing AI platforms to attack other systems, including AI-driven ones.
Ray Clusters Exposed Via Misconfiguration
Ray, developed by Anyscale and now widely adopted in machine learning (ML) and AI workflows, enables developers to scale Python-based computations across multiple servers. However, when deployed without sufficient access controls, Ray clusters can become vectors for abuse.
Attackers Exploit Publicly Accessible Endpoints
The root of the problem lies in Ray’s default deployment behavior. Many of these clusters are Internet-facing and often contain no authentication mechanisms, which makes them low-hanging fruit for cybercriminal groups.
In recent incidents, attackers have scanned IP ranges for exposed Ray Dashboard endpoints—essentially the control plane of the cluster—which typically runs on ports such as 8265. Once discovered, attackers gain control of the cluster through exposed APIs.
The objectives of this unauthorized access include:
- Injecting arbitrary code into the environment
- Orchestrating malware deployment across all cluster nodes
- Leveraging computational resources for cryptocurrency mining
A Self-Replicating Botnet Born From AI Infrastructure
What sets this threat apart is the botnet’s self-replicating capability. After compromising a Ray cluster, the malware is programmed to look for additional vulnerable Ray instances, autonomously initiating new attacks. This mirrors worm-like propagation, turning each infected cluster into an attack node.
Crypto Mining, Data Theft, and DDoS Capabilities
Once entrenched, the malware performs triage based on the infected system’s capabilities. On high-powered clusters, it allocates resources to mine Monero or similar cryptocurrencies. On systems with data-sensitive workloads, it focuses on data exfiltration.
The botnet also acts as a force multiplier for DDoS campaigns:
- Compromised nodes can be weaponized to send large volumes of traffic, targeting external services for disruption
- The scale of abuse grows exponentially as each newly infected Ray cluster joins the attack infrastructure
This represents a novel evolution: attackers are abusing distributed AI platforms not only as computational launch pads, but also for their expansive network topologies.
Lack of Authentication Fuels Expansion
The rapid spread of the botnet underlines a persistent flaw in the AI community’s infrastructure hygiene: minimal access configuration. In many cases, developers deploy Ray clusters for experimentation or prototyping without firewall protections or basic permissions models in place.
Internet scans have revealed hundreds of exposed Ray endpoints—often with administrator-level capabilities—open to the broader network, with no requirement for authentication before executing commands.
Risk Mitigation Strategies for Ray Users
To defend against this type of attack, Ray users should:
- Never expose Ray Dashboard and HTTP servers to the public Internet
- Enforce authentication and role-based access controls using secure proxy layers
- Regularly scan cloud and on-prem environments for misconfigured instances
- Monitor Ray logs for unusual activity or system calls that could indicate malware execution
Organizations using Ray in production pipelines should integrate cluster security into their broader DevSecOps workflows, ensuring secure configuration at deployment time rather than retroactively patching exposures.
AI on AI: A Dangerous Feedback Loop
This attack trend illustrates a significant warning for the AI security landscape: the tools designed to advance artificial intelligence are now being turned inward. Criminals are using AI orchestration frameworks like Ray not just as targets but as mechanisms for scalable, automated exploitation.
As AI platforms become infrastructure mainstays in enterprise environments, their attack surface will continue to grow. And unless these systems are deployed securely from the outset, they will present appealing opportunities for malicious actors looking to weaponize AI against itself.
The convergence of AI frameworks, data science workflows, and cybersecurity threats demands a paradigm shift—AI deployments must not only be efficient and scalable but secure by design.
