Ddos 
The Sysdig Threat Research Team (TRT) has uncovered a malicious campaign exploiting a misconfigured Open WebUI instance—an AI interface for customizing large language models (LLMs)—to deploy cryptominers, infostealers, and even AI-assisted malware.
A publicly exposed Open WebUI deployment with admin access and no authentication. Open WebUI, which has over 95,000 GitHub stars, allows extensible plugin uploads—an avenue the attackers leveraged to deploy a malicious AI-generated Python script.
Sysdig notes: “Once uploaded as an Open WebUI Tool, the malicious Python code was executed… the attackers likely used an automated script to add the Tool.”
Open WebUI’s exposure isn’t rare. A simple Shodan query reveals over 17,000 publicly accessible instances, many potentially vulnerable.
The malicious script was heavily obfuscated using PyObfuscator, forming what Sysdig dubbed the pyklump technique. The payload was encoded in Base64 and reversed 64 times, then executed via Python’s exec() function. The decoded script revealed capabilities to:
- Download and install cryptominers (T-Rex, XMRig)
- Evade detection using custom C-based loaders
- Establish persistence via systemd
- Exfiltrate data via Discord webhooks
“The Windows payload is sophisticated and almost undetectable,” Sysdig warns.
The code also displayed telltale signs of AI assistance, such as highly structured logic, verbose formatting, and LLM-style variable usage. According to a ChatGPT code detector:
“Highly likely (~85–90%) is AI-generated or heavily AI-assisted.”
Once installed, the malware copied itself into the victim’s .config directory and executed two miners connected to:
- pool.supportxmr[.]com:443 (Monero)
- rvn.2miners[.]com:6060 (Kawpow)
Advanced defense evasion techniques included compiling inline C source code at runtime:
- processhider filters its name from system utilities like ps
- argvhider hooks into main() and clears mining arguments from /proc/[pid]/cmdline
“The original argument is erased from memory, making it invisible to observers.” Persistence was achieved via a systemd service named ptorch_updater, disguised to look like a legitimate AI tool component.
On Windows, the attack path pivoted:
- Java Development Kit (JDK) was downloaded to execute a malicious JAR loader
- The loader extracted and executed hidden binaries like INT_D.DAT and INT_J.DAT
“The downloaded JAR file… is a Java-based loader that executes a secondary malicious JAR.” These components featured:
- Agent-based DLL injection
- Infostealers targeting Chrome, Discord, and system tokens
- Use of WebSockets and PowerShell for command-and-control
DLLs such as app_bound_decryptor.dll used XOR encoding, named pipes, and sandbox evasion to avoid analysis.
The attackers actively exfiltrated:
- Discord tokens
- Chrome extension credentials
- System hardware data
Their Monero wallet (XMR) remains untraceable, but the Ravencoin wallet showed earnings near $700, revealing a financially motivated campaign.
LLMs and their plugin ecosystems can be abused to automate malware delivery. As attackers evolve, defenders must stay ahead with real-time, behavior-based security.
Related Posts:
- FunkSec: The Rising Ransomware Group Blurring the Lines Between Cybercrime and Hacktivism
- EMERALDWHALE Operation Exposes Over 15,000 Cloud Credentials in Widespread Git Exploit
- UNC5174: Chinese Threat Actor Deploys New VShell RAT in Campaign
- Log4j Campaign Exploited to Deploy XMRig Cryptominer
- Recruitment Scam Targets Job Seekers with Fake CrowdStrike Branding
Donate