Oligo Security researchers have uncovered an active global hacking campaign that leverages artificial intelligence to attack AI infrastructure.
The operation, dubbed ShadowRay 2.0, exploits a known yet disputed vulnerability in Ray an open-source framework powering numerous AI systems worldwide to seize control of computing clusters and conscript them into a self-replicating botnet capable of cryptojacking, data exfiltration, and distributed denial-of-service attacks.
In early November 2025, Oligo’s research team identified threat actors actively exploiting CVE-2023-48022 in Ray, the widely used open-source AI orchestration framework.
This represents the continuation of exploitation Oligo initially observed in late 2023, now formalized as MITRE Campaign C0045.
The attackers, operating under the alias IronErn440, have evolved their tactics significantly since the original ShadowRay discovery, transforming simple cryptojacking efforts into a sophisticated multi-purpose botnet infrastructure.
The campaign demonstrates remarkable operational agility. After Oligo reported the initial GitLab-hosted attack infrastructure on November 5, 2025, threat actors migrated to GitHub within days, establishing new repositories on November 10.
The lack of a definitive patch, coupled with the assumption that users would self-secure their clusters, has allowed threat actors to weaponize the same underlying weakness, culminating in the new ShadowRay v2 campaign.
Despite GitHub takedown on November 17, attackers immediately stood up replacement infrastructure on the same day, demonstrating the campaign’s ongoing persistence and automation.
Technical Sophistication
What distinguishes ShadowRay 2.0 is its use of artificial intelligence to attack AI systems.
Analysis reveals attackers leveraged LLM-generated payloads to accelerate and adapt their exploitation methods.
The campaign employed advanced evasion techniques, including limiting CPU usage to approximately 60 percent to avoid triggering detection systems, disguising malicious processes as legitimate Linux kernel workers, and hiding GPU usage from Ray’s monitoring infrastructure while silently consuming premium compute resources.
The attackers weaponized Ray’s legitimate orchestration features rather than exploiting traditional vulnerabilities.
By leveraging the NodeAffinitySchedulingStrategy API, they distributed malware across every node in compromised clusters. This represents lateral movement through infrastructure design transforming Ray’s intended functionality into an attack vector.
The threat landscape has expanded dramatically. Since the original ShadowRay discovery, exposed Ray servers have increased tenfold from thousands to over 230,000 instances worldwide, with many belonging to active startups, research labs, and cloud-hosted AI environments.
Oligo identified compromised clusters with thousands of active nodes, some generating annual infrastructure costs exceeding four million dollars.
Evidence suggests the operation could trace back to September 2024, with automated discovery mechanisms identifying vulnerable Ray dashboards across multiple continents.
Attackers utilized out-of-band application security testing platforms, spraying payloads across internet-facing Ray instances and tracking successful compromises through callback mechanisms.
Multi-Layered Attack Objectives
Beyond cryptojacking, the campaign demonstrates capabilities extending to data exfiltration and infrastructure compromise.
Attackers discovered and exfiltrated database credentials, accessed proprietary AI models, stole source code and datasets, and deployed distributed denial-of-service tools including sockstress against production infrastructure.
Gitlab username in one of the payload’s comments, probably leftovers of an older payload from an older repository.
Multiple criminal groups competed for resources, actively terminating legitimate workloads and rival cryptominers to maximize profits.
The exploitation persists partly because CVE-2023-48022 remains “disputed” Ray maintainers contend the vulnerability reflects a design feature safe only in strictly-controlled network environments.
However, real-world deployments frequently expose Ray without heeding these warnings, creating an extended exploitation window that attackers have systematically weaponized.
Organizations deploying Ray should verify cluster configurations using Anyscale’s Ray Open Ports Checker, implement firewall rules restricting access, enable authentication on dashboard ports, and deploy runtime security monitoring for anomaly detection.
The incident underscores critical importance of understanding open-source component configurations and maintaining continuous visibility into production AI infrastructure behavior.
The ShadowRay 2.0 campaign represents a fundamental shift in cloud security threats demonstrating how attackers now weaponize legitimate cloud orchestration features and AI technologies against the systems they were designed to manage.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.