AI-Generated Malware Attacks 230,000 Exposed Ray AI Clusters in Massive ShadowRay 2.0 Botnet Campaign

Security researchers at Oligo Security have uncovered a massive, fast-evolving cyberattack campaign hijacking exposed Ray AI clusters worldwide through the long-standing ShadowRay vulnerability (CVE-2023-48022). The campaign shows a dramatic escalation in both scale and sophistication, representing one of the world’s first cases of AI-generated malware used to attack AI infrastructure.

This is the same flaw Oligo discovered being actively exploited in late 2023—and attackers have now weaponized it on a global scale.

Oligo states the new wave of attacks is far more advanced than the original ShadowRay incidents. The threat actor—operating under the alias IronErn440—has transformed Ray’s legitimate orchestration functions into a self-propagating, globally distributed botnet, capable of:

• Cryptomining
• Lateral movement across entire clusters
• Data exfiltration
• Reverse shell access
• DDoS attacks
• Automated worm-like propagation to new Ray servers

Oligo cautions that: “This isn’t just another cryptojacking campaign. It’s the foundation of a multi-purpose botnet capable of DDoS attacks, data exfiltration, and global autonomous propagation.”

One of the headline revelations is that attackers are now leveraging LLMs to accelerate exploitation.

Oligo reports: “Our analysis shows attackers leveraged LLM-generated payloads to accelerate and adapt their methods.”

Payloads contained docstrings, unnecessary comments, and verbose logic—clear signs of AI-generated code. The attackers then iteratively refined the scripts through GitLab/GitHub commits, effectively creating a malware CI/CD pipeline.

Perhaps the most alarming statistic: “In fact, there are now more than 230,000 Ray servers exposed to the internet, in contrast to the few thousand we observed during our initial ShadowRay discovery.”

This tenfold increase massively widens the attack surface and explains the explosive spread of ShadowRay 2.0.

Oligo’s timeline shows rapid adaptation:

• Wave 1 — GitLab campaign shut down Nov 5
• Wave 2 — Attackers reappear on GitHub Nov 10
• Repo taken down Nov 17
• New repo created hours later

Oligo notes: “The attackers’ persistence and agility… demonstrate the campaign remains active.”

While certain related issues were patched, CVE-2023-48022 itself was never directly fixed. Ray maintainers are intended for secure internal networks only: “Security and isolation must be enforced outside of the Ray Cluster.”

However, in practice, thousands of organizations still expose Ray dashboards to the internet, often unknowingly.

Oligo highlights the risk: “What is also highly concerning is that this vulnerability is ‘disputed’… users often deploy Ray without heeding this warning.”

This creates a perfect storm for attackers.

Related Posts:

• Critical RCE in MCP Inspector Exposes AI Devs to Web-Based Exploits (CVE-2025-49596)
• AirBorne Exploits: Zero-Click Wormable RCE Hits Apple & IoT Devices
• FBI Warns of Generative AI’s Role in Amplifying Fraud Schemes
• The USB Threat Is Back: New Multi-Stage Cryptomining Attack Spreads via Infected Drives
• Anthropic Report: Criminals Are Weaponizing AI to Automate Cyberattacks at Scale