Hackers Target 700+ ComfyUI AI Image Generation Servers to Spread Malware
China’s National Cybersecurity Notification Center has issued an urgent warning about critical vulnerabilities in ComfyUI, a widely used image-generation framework for large AI models.
These flaws, already under active exploitation by hacker groups, have compromised at least 695 servers worldwide, according to threat intelligence from XLab.
The attackers are deploying a sophisticated backdoor named “Pickai,” designed to steal sensitive AI-related data, execute remote commands, and establish reverse shell access, posing a significant risk of network intrusions and data breaches across industries relying on privately deployed AI models.
Critical Vulnerabilities Exploited in Popular AI Framework
According to the Report, XLab’s Cyber Threat Insight and Analysis System (CTIA) first detected suspicious activity on March 17, 2025, originating from IP address 185.189.149.151.
The attackers exploited ComfyUI vulnerabilities to distribute ELF executables disguised as configuration files such as config.json and tmux.conf.
Named Pickai for its data-stealing behavior akin to a pickpocket, this lightweight backdoor, coded in C++, incorporates stealth features like anti-debugging, process name spoofing, and multiple persistence mechanisms.
Despite lacking encryption, Pickai ensures network robustness by cycling through hard-coded command-and-control (C2) servers, automatically switching to maintain a stable connection.
XLab’s strategic move to register an unclaimed C2 domain, h67t48ehfth8e.com, provided visibility into the scale of the infection, revealing the extensive reach of this campaign, with servers in Germany, the United States, and China among the most affected.
Pickai Backdoor Poses Severe Threat
Adding to the severity, Pickai samples were found hosted on the official site of Rubick.ai, a commercial AI platform serving over 200 major e-commerce brands like Amazon, Myntra, and Hudson Bay across the U.S., India, Singapore, and the Middle East.
This positions Rubick.ai as a potential upstream vector in a supply chain attack, where malware could propagate to numerous downstream customer environments.
Despite XLab’s attempts to notify Rubick.ai on May 3, no response was received, leaving the threat unmitigated.
0xAFThe attackers, in a bold countermove, updated Pickai to use a new C2 domain, historyandresearch.com, with a five-year expiration, indicating a long-term, persistent strategy to evade takedown efforts.
Technically, Pickai exhibits stubborn resilience through redundant persistence, copying itself to multiple system paths and mimicking legitimate services like auditlogd and hwstats to evade detection.
It employs XOR encryption (key 0xAF) for sensitive strings, uses diverse process spoofing with names like kworker and kblockd, and maintains a three-tier communication loop with C2 servers for command requests and status updates.
Network administrators are urged to conduct deep inspections and ensure complete removal of all implanted copies to prevent reinfection.
XLab continues to track this evolving threat and invites the security community to collaborate in shortening the lifespan of such malware through shared intelligence and defensive innovation.
Indicators of Compromise (IOC)
| Type | Value |
|---|---|
| MD5 (Samples) | f9c955a27207a1be327a1f7ed8bcdcaa, 8680f76a9faaa7f62967da8a66f5a59c (x64), etc. |
| Downloader URL | http://78.47.151.49:8878/wp-content/x64, https://rubick.ai/wp-content/tmux.conf |
| C2 Servers | 80.75.169.227 (Egypt), 195.43.6.252 (Egypt), historyandresearch.com |
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates
Source link
