A newly identified Go botnet, dubbed NadMesh, has emerged in early July, specifically targeting and compromising exposed AI services. Researchers from QiAnXin’s XLab reported that the botnet operator’s own dashboard boasts over 3,800 unique AWS keys, indicating a significant focus on exfiltrating cloud credentials and access privileges from compromised systems. This threat highlights the evolving landscape of cyberattacks, with malicious actors now actively seeking to exploit the rapidly expanding infrastructure of artificial intelligence tools.
NadMesh employs a Shodan harvester to continuously scan for vulnerable AI-related services. Its primary targets include ComfyUI, a popular interface for Stable Diffusion; Ollama, which facilitates running local large language models; n8n, a workflow automation tool; Open WebUI, a user-friendly interface for LLMs; Langflow, a framework for building LLM applications; and Gradio, a tool for creating interactive UIs for machine learning models. These are often deployed quickly by development teams, creating a window of vulnerability before robust security measures are implemented.
NadMesh Botnet Exploits Exposed AI Services for Cloud Credentials
The intelligence gathered by NadMesh reveals a concerning pattern of successful credential theft and the inventorying of machine learning models. In its last 100 records, the botnet reported 47 credential hauls and 41 model inventories. The inventories include identifiers for popular models like DeepSeek, GLM, and Kimi, often tagged with “:cloud,” suggesting that the bots are not only cataloging deployed models but also identifying their cloud-based infrastructure.
QiAnXin’s XLab published a detailed report on NadMesh, deriving its name from a distinctive string found within the malware’s source code. The report includes screenshots of the operator’s dashboard, presenting figures from July 10. However, these internal statistics appear inconsistent. For instance, a counter claiming 17,700 total deployments is juxtaposed with a funnel indicating 95,700 deployments in the preceding 24 hours. Similarly, the number of active bots fluctuates between 16 and 12 on adjacent dashboard tiles. Despite these internal discrepancies, the reported number of 47 credential hauls is mentioned twice.
External telemetry offers a different perspective on NadMesh’s activity. XLab’s sensors indicated minimal distinct source IPs pushing NadMesh traffic through late June. This number then surged dramatically in the first week of July, reaching approximately 139 unique IPs per day. This sharp increase underscores the botnet’s rapid expansion and its growing operational footprint.
The primary objective of NadMesh is not to compromise the host machines themselves, but rather to extract valuable cloud credentials, Kubernetes cluster privileges, and access to AI models and Machine Control Plane (MCP) tools. The malware achieves this by collecting cloud keys from environment variables, Kubernetes service account tokens, and configuration files such as `~/.aws/config`, `.env`, and `~/.docker/config.json`.
According to the researchers, the operator prioritizes exploitation of MCP, placing it above Kubernetes, Docker API, and Redis. The documented exploitation vector for MCP involves a JSON-RPC call to `execute_command`. While no specific CVE is attached to this particular method in the report, the widespread vulnerabilities in older MCP deployments, which often omit authentication, make them an attractive target.
MCP’s initial specification left authentication as an optional feature, and the authorization flow added in March 2025 remains optional within the protocol’s specifications. This lack of mandatory authentication has led to many deployments skipping it entirely. Data from Censys indicated a significant number of reachable MCP services, with over 12,520 identified across 8,758 IP addresses in April, a figure that rose to more than 21,000 by early May. Notably, around 90 of these advertised a tool capable of executing commands.
On 39 of these vulnerable MCP services, the command execution tool was specifically named `execute_command`, matching the method at the top of NadMesh’s exploitation priority list. However, the botnet’s internal counters for exploitable MCP services, while large at 12,100, do not align with the reported 21 identified MCP vulnerabilities, and critically, none of the 100 recent intel records on screen show any exploitation of known MCP CVEs.
Observing the actual exploit traffic, XLab noted that the Docker containers API remote code execution (RCE) accounted for 30.31% of the observed attempts. Jenkins scriptText RCE followed at 22.28%, with Telnet weak passwords at 10.36% and Redis at 8.29%. The `mcp_cmd_execute` vector, although present in XLab’s observed traffic at 0.78%, appears to be a less frequent target compared to other methods, indicating that while it is a vector, it is not the primary focus of the observed exploit attempts.
The scanning and rescan mechanisms employed by NadMesh are highly efficient. Subnets that yield successful compromises are subjected to more frequent sampling every five minutes. IP addresses identified as dangerous within the last 24 hours are re-scanned every fifteen minutes with specific AI ports prioritized. Any target that withstands ten deployment attempts without returning a result is automatically blacklisted as a suspected honeypot, a move XLab interprets as evidence of the operator’s awareness of security researchers’ monitoring efforts.
NadMesh utilizes multiple build versions concurrently, with some bots running on newer Go versions while others operate on older ones. A canary endpoint is used to test new builds on a subset of the botnet fleet before wider deployment. The botnet’s persistence mechanism is designed to be robust, employing multiple methods simultaneously. Furthermore, each build undergoes obfuscation and packing techniques, ensuring that no two agent samples share identical hashes, making detection through signature-based methods challenging.
Mitigation Strategies Against NadMesh and Similar Threats
Many of NadMesh’s attack vectors target exposed services and administrative functionalities that are left accessible to the public internet. These include open Docker APIs on port 2375, unauthenticated Redis instances, weak Telnet and SSH passwords, and Jenkins script consoles. While these are well-known vulnerabilities, their continued presence underscores a persistent security oversight. There are no immediate patches for these inherent misconfigurations; instead, remediation requires securing these services behind proper authentication or removing them from public accessibility.
Key ports that NadMesh prioritizes in its rescan jobs include 8188 (ComfyUI), 11434 (Ollama), 7860 (Gradio), and 5678 (n8n). Securing these ingress points should be an immediate priority for organizations utilizing these AI tools.
The botnet also exploits known vulnerabilities, including CVE-2026-39987, a pre-authentication RCE in Marimo notebooks before version 0.23.0, which was actively exploited shortly after its disclosure. Another identified vulnerability is CVE-2026-41176, allowing unauthenticated callers to modify `rc.NoAuth` on rclone RC servers. However, older vulnerabilities like CVE-2022-22947 and CVE-2017-12611 still represent risks if their specific exploitation conditions are met.
Organizations should also scrutinize their systems for unexpected persistence mechanisms in locations such as `~/.ssh/authorized_keys`, temporary directories like `/dev/shm/.a`, `/var/tmp/.a`, `/tmp/.a`, and cron job directories (`/etc/cron.d/.sys_monitor`, `/etc/cron.d/.s`).
If any signs of compromise are detected, immediate action is crucial. This includes isolating the affected host, revoking all cloud credentials, cluster tokens, `.env` file contents, and registry logins that the compromised system could access. It is imperative to remove persistence mechanisms before issuing new credentials to prevent them from being immediately compromised as well. A thorough review of where compromised credentials were used during their active period is also recommended.
XLab has provided indicators of compromise (IOCs) including a command-and-control (C2) server at 209.99.186[.]235, the domain `cdnorigin[.]net`, and a specific agent sample hash (SHA1 31c69b3e12936abca770d430066f379ec1d997ec).
The emergence of NadMesh follows a similar trend observed in April, where another operator was found exploiting exposed ComfyUI instances for cryptocurrency mining and to establish proxy nodes. While the earlier threat primarily targeted the GPU resources, NadMesh signifies a shift towards the theft of valuable cloud credentials and access. The continuous evolution of these threats underscores the critical need for proactive security measures, rigorous patch management, and continuous monitoring of exposed services, especially within the burgeoning AI ecosystem. The next likely development will be the emergence of further botnets targeting similar AI infrastructure or attackers refining their methods to bypass existing detection mechanisms.

