{
  "name": "ShadowRay 2.0: Active Global Campaign Hijacks Ray AI Infrastructure Into Self-Propagating Botnet",
  "slug": "shadowray-20-active-global-campaign-hijacks-ray-ai-infrastructure-into-self-propagating-botnet",
  "description": "A global hacking campaign dubbed ShadowRay 2.0 has been discovered, exploiting a vulnerability in the Ray AI framework to seize control of computing clusters and create a self-replicating botnet. The attackers use GitLab and GitHub for payload delivery, leveraging AI-generated code to adapt their methods. The campaign has evolved from simple cryptojacking to a sophisticated multi-purpose botnet capable of DDoS attacks and data exfiltration. The operation targets exposed Ray clusters worldwide, utilizing DevOps-style infrastructure for real-time malware updates. This campaign highlights the growing attack surface in AI workloads and the risks associated with disputed vulnerabilities.",
  "published": "2025-11-19T03:25:24+00:00",
  "created_at": "2025-11-19T03:25:24+00:00",
  "modified_at": "2025-11-19T07:54:28+00:00",
  "created_at_opencti": "2025-11-19T03:25:24+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-11-19",
    "CVE-2023-48022",
    "ai infrastructure",
    "botnet",
    "cryptojacking",
    "data exfiltration",
    "ddos",
    "devops",
    "ray framework",
    "self-propagation",
    "sockstress",
    "xmrig"
  ],
  "related_entities": {
    "malware": [
      {
        "id": "legacy:malware:7183cad658f1ba60",
        "name": "sockstress",
        "slug": "sockstress"
      },
      {
        "id": "legacy:malware:83adebc6ef4eb478",
        "name": "XMRig",
        "slug": "xmrig"
      }
    ],
    "intrusion_sets": [
      {
        "id": "b3a01fb2-b642-440b-a92a-9f24e8e25f88",
        "name": "IronErn440",
        "slug": "ironern440"
      }
    ],
    "attack_patterns": [
      {
        "id": "894026fa-e537-4b95-b612-7dd8bc367a0d",
        "name": "T1078.001"
      },
      {
        "id": "f65930b0-5581-4f3d-a367-a86ac78f407b",
        "name": "T1021.004"
      },
      {
        "id": "1eef7f88-3992-4add-899e-a7cc9fcdd5b3",
        "name": "T1569.002"
      },
      {
        "id": "195d9773-4de3-4f61-b94d-a2b53cb65608",
        "name": "T1021.001"
      },
      {
        "id": "3e753709-1776-42f4-b465-278cb5f6ea6b",
        "name": "T1614"
      },
      {
        "id": "2e0c6db7-16a7-4bf6-992e-263474014fce",
        "name": "T1059.004"
      },
      {
        "id": "32817170-4c07-427e-b8a5-80a733ae2550",
        "name": "T1497"
      },
      {
        "id": "53b3b18c-d0d0-4bf6-bc6b-2c0ab9180deb",
        "name": "T1070"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "6d618903-d9f6-4747-aec2-7630f43c1908",
        "name": "T1496"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      },
      {
        "id": "7d7ac733-6442-416f-8669-c302dd0843b9",
        "name": "T1036"
      },
      {
        "id": "747c7b95-79ff-4132-8ea5-397cb6665ebd",
        "name": "T1498"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "bb20a9e1-f4f6-459d-94f4-470c6867dc2d",
        "name": "T1053"
      },
      {
        "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62",
        "name": "T1190"
      },
      {
        "id": "b9eab970-53dd-4977-9a26-c4fe566e422d",
        "name": "T1133"
      },
      {
        "id": "9f11a241-9abc-4c57-95dd-33955ab08826",
        "name": "T1078"
      },
      {
        "id": "6a495275-5433-4b64-90e5-18b9f07296da",
        "name": "T1072"
      }
    ]
  },
  "external_refs": [
    "https://www.oligo.security/blog/shadowray-2-0-attackers-turn-ai-against-itself-in-global-campaign-that-hijacks-ai-into-self-propagating-botnet",
    "https://otx.alienvault.com/pulse/691d46b4135d2acc04876592"
  ]
}