ComfyUI Under Attack: “Pickai” C++ Backdoor Compromises 700+ AI Image Generation Servers Globally

In a concerning development for AI infrastructure security, XLab has uncovered an active exploitation campaign targeting ComfyUI—a widely adopted framework used to deploy large AI image-generation models. The attackers are delivering a stealthy C++ backdoor dubbed Pickai, already responsible for compromising nearly 700 servers worldwide. The Chinese National Cybersecurity Notification Center issued a high-risk warning on May 27, 2025, urging immediate defensive action due to active exploitation.

“With the rapid rise of privately deployed AI models across industries, ComfyUI… has inevitably become a prime target for cyberattacks,” XLab warned in its technical analysis.

Pickai (named as a play on “pickpocket”) is a lightweight but potent Linux backdoor capable of remote command execution and reverse shell access. Its hallmark features include:

• Host-side stealth: Anti-debugging techniques, process name spoofing, and robust persistence.
• Network resilience: Multi-tier command-and-control (C2) failover across hardcoded domains.

Upon reverse engineering, XLab discovered one of the malware’s domains—h67t48ehfth8e[.]com—was unregistered. Seizing the opportunity, XLab registered it and observed telemetry from at least 695 infected servers, primarily located in Germany, the U.S., and China.

“The attacker reacted by updating Pickai to use a new domain—historyandresearch[.]com—with a 5-year expiration window, signaling a deliberate and persistent stance against takedown efforts.”

More alarmingly, Pickai samples were discovered hosted on the official site of Rubick.ai, a commercial AI platform supporting e-commerce operations for over 200 major brands, including Amazon, Myntra, The Luxury Closet, and Hudson Bay. This raises significant concerns of downstream malware propagation, making it a supply chain attack.

Despite XLab’s notification to Rubick.ai on May 3, no public response has been issued.

XLab’s technical breakdown of Pickai reveals:

Encrypted strings reside in the .rodata section and are XORed with 0xAF. A custom IDAPython script facilitates static analysis and reveals critical configuration, such as:

• C2 server addresses
• Process spoofing options
• Persistence service names

Pickai copies itself to multiple locations and mimics legitimate Linux system services:

File Path	Service Name
/usr/bin/auditlogd	auditlogd
/sbin/dmesglog	dmesglog
/var/run/healthmon	healthmon

For non-root users, persistence is achieved via systemd in user space, using names like nano, vim, and ssh.config to avoid suspicion.

“Pickai appends random data to the end of each file—clearly aiming to evade hash-based detection.”

Pickai’s protocol revolves around simple, padded 1024-byte packets using keywords like LISTEN|, UPDATE|, and STATUS|. The malware checks in with its C2 every two minutes for commands and rotates through a priority list of C2s every 12 hours.

XLab also captured live command activity:

“We implemented Pickai’s protocol in XLab’s command tracking system and observed only two instructions on June 6, both triggering reverse shells.”

Pickai’s multi-instance, multi-path persistence strategy means removal is no simple task. According to XLab:

“Pickai’s redundant persistence mechanisms give it the traits of a stubborn trojan—any leftover copy can trigger a full resurgence.”

Related Posts:

• “Gayfemboy” Botnet Leveraging 0-Day Exploit in Four-Faith Industrial Routers
• Kiteshield Packer Emerges as a Significant Threat in Linux Malware Landscape
• The Safe C++ Extensions Proposal: Strengthening Security in a Complex Ecosystem
• New Melofee Backdoor Variant Targets Linux Systems with Advanced Stealth Tactics
• The Zero-Detection PHP Backdoor Glutton Exposed