ShadowRay 2.0 Hijacks AI Frameworks in Global Cryptojacking Campaign

The line between artificial intelligence and cybercrime blurs further as security researchers uncover a sprawling global campaign that weaponizes AI infrastructure against itself. Oligo Security has revealed that ShadowRay 2.0, an evolution of a threat first detected in 2024, is actively exploiting a known vulnerability in Ray — the open-source AI framework often called the “Kubernetes of AI” — to conscript computing clusters into a self-replicating cryptojacking botnet. As of November 10, 2025, the campaign has escalated dramatically, with attackers migrating their infrastructure to GitHub after their previous GitLab operations were shut down.

The Exploit Mechanics

At the core of ShadowRay 2.0 lies CVE-2023-48022, a disputed vulnerability in Ray that enables unauthenticated remote code execution through the framework’s Jobs API. Despite being disclosed in 2023, the flaw has never been directly patched because Ray’s maintainers classify the behavior as a design feature — safe only when deployed within strictly controlled network environments. In practice, however, thousands of organizations expose Ray dashboards to the public internet, creating a persistent attack surface that threat actors continue to exploit.

The group behind this campaign, operating under the name IronErn440, has elevated the attack to alarming sophistication. Security analysts confirm that the operators use LLM-generated payloads to accelerate and adapt their methods in real time. The malware limits CPU utilization to approximately 60 percent to evade detection, disguises malicious processes as legitimate system services, and conceals GPU usage from Ray’s built-in monitoring dashboards. This careful tuning allows the botnet to operate on premium compute resources for extended periods without triggering alerts.

Affected Systems

The scale of exposure has grown tenfold since Oligo’s original ShadowRay disclosure. Current scans reveal that more than 230,000 Ray servers are now exposed to the internet, up from just a few thousand when the vulnerability was first documented. The compromised clusters span multiple continents and belong to startups, research laboratories, and cloud-hosted AI environments. Evidence indicates the operation may have been active since September 2024, spreading autonomously through automated OAST-based discovery techniques.

With Bitcoin trading near $106,000 and the broader crypto market capitalization well above $3 trillion, the economic incentive for cryptojacking has never been stronger. Attackers compete for the same CPU resources, often terminating legitimate workloads and rival cryptominers to maximize their own profits. Multiple criminal groups have been observed fighting for control over the same exposed Ray clusters.

The Mitigation Strategy

Oligo Security originally reported the GitLab-based delivery infrastructure, leading to the removal of attacker repositories and accounts on November 5, 2025. However, within five days, IronErn440 had re-established operations on GitHub, creating multiple new accounts and repositories to continue distributing region-aware malware. The campaign remains active as of November 10, 2025.

Organizations running Ray deployments should immediately audit their infrastructure for internet-facing dashboards. The Ray security documentation recommends enforcing strict network isolation and using the official open-source port checker tool to verify proper configuration. Security teams should also monitor for unusual CPU and GPU consumption patterns, unexpected outbound network connections, and the presence of unfamiliar processes masquerading as system services.

Lessons Learned

The ShadowRay 2.0 campaign underscores a fundamental tension in the open-source AI ecosystem. Frameworks designed for rapid development and deployment often prioritize functionality over security hardening, leaving users responsible for implementing their own access controls and network segmentation. When that responsibility goes unheeded, the result is a growing fleet of vulnerable servers that threat actors can exploit for months or even years without detection.

The use of LLM-generated attack payloads also signals a new era in adversarial AI. Attackers are no longer limited by their own coding expertise; they can leverage the same large language models that power legitimate applications to generate, refine, and deploy malicious code at scale. This asymmetry between offensive and defensive capabilities demands a corresponding evolution in security tooling and practices.

User Action Required

For organizations and individuals running Ray or similar AI frameworks, immediate steps include verifying that all AI infrastructure sits behind authenticated firewalls, deploying runtime security monitoring capable of detecting anomalous workload behavior, and maintaining an inventory of all exposed services. The open-source community must also reconcile the tension between developer convenience and secure defaults — because as long as 230,000 servers remain exposed, campaigns like ShadowRay 2.0 will continue to find fertile ground.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any financial decisions.