216.73.216.197

Botnet Analysis: A Product-Grade Threat for the AI Service Era

· Published 17/07/2026 13:27

Export JSON

Essential information

Published
17/07/2026 13:27
Modified
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
ai infrastructure targeting autonomous scanning botnet credential harvesting cve-2016-0638 go-based kubernetes compromise mcp exploitation nadmesh polymorphic shodan intelligence
Related entities
1 vulnerabilities (cve), 3 indicators, 2 observables, 20 techniques (mitre), 1 malware

Description

NadMesh is an industrial-grade observed in July 2026 that autonomously scans and exploits AI infrastructure and cloud services. The integrates scanning, exploitation, and intelligence harvesting into a single platform targeting over 90 cloud provider address ranges. It employs 20+ exploitation vectors against Redis, Docker, MCP, Kubernetes, and other services, with particular focus on AI platforms like ComfyUI, Ollama, and Gradio discovered via Shodan API. NadMesh features a web-based management panel, builds using Garble obfuscation and UPX packing, and redundant persistence mechanisms including SSH backdoors, agent processes, and cron watchdogs. The operation demonstrates clear commercial intent with conversion funnel statistics, canary updates, and automated task supply loops that amplify high-yield subnets. It harvests cloud credentials, Kubernetes tokens, AI model access, and MCP service intelligence.

External references