Botnet Analysis: A Product-Grade Threat for the AI Service Era
Essential information
- Published
- 17/07/2026 13:27
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- ai infrastructure targeting autonomous scanning botnet credential harvesting cve-2016-0638 go-based kubernetes compromise mcp exploitation nadmesh polymorphic shodan intelligence
- Related entities
- 1 vulnerabilities (cve), 3 indicators, 2 observables, 20 techniques (mitre), 1 malware
Description
NadMesh is an industrial-grade Go-based botnet observed in July 2026 that autonomously scans and exploits AI infrastructure and cloud services. The botnet integrates scanning, exploitation, and intelligence harvesting into a single platform targeting over 90 cloud provider address ranges. It employs 20+ exploitation vectors against Redis, Docker, MCP, Kubernetes, and other services, with particular focus on AI platforms like ComfyUI, Ollama, and Gradio discovered via Shodan API. NadMesh features a web-based management panel, polymorphic builds using Garble obfuscation and UPX packing, and redundant persistence mechanisms including SSH backdoors, agent processes, and cron watchdogs. The operation demonstrates clear commercial intent with conversion funnel statistics, canary updates, and automated task supply loops that amplify high-yield subnets. It harvests cloud credentials, Kubernetes tokens, AI model access, and MCP service intelligence.