ComfyUI Under Attack: “Pickai” C++ Backdoor Compromises 700+ AI Image Generation Servers Globally
Do Son 
In a concerning development for AI infrastructure security, XLab has uncovered an active exploitation campaign targeting ComfyUIβa widely adopted framework used to deploy large AI image-generation models. The attackers are delivering a stealthy C++ backdoor dubbed Pickai, already responsible for compromising nearly 700 servers worldwide. The Chinese National Cybersecurity Notification Center issued a high-risk warning on May 27, 2025, urging immediate defensive action due to active exploitation.
βWith the rapid rise of privately deployed AI models across industries, ComfyUIβ¦ has inevitably become a prime target for cyberattacks,β XLab warned in its technical analysis.
Pickai (named as a play on βpickpocketβ) is a lightweight but potent Linux backdoor capable of remote command execution and reverse shell access. Its hallmark features include:
- Host-side stealth: Anti-debugging techniques, process name spoofing, and robust persistence.
- Network resilience: Multi-tier command-and-control (C2) failover across hardcoded domains.
Upon reverse engineering, XLab discovered one of the malwareβs domainsβh67t48ehfth8e[.]comβwas unregistered. Seizing the opportunity, XLab registered it and observed telemetry from at least 695 infected servers, primarily located in Germany, the U.S., and China.
βThe attacker reacted by updating Pickai to use a new domainβhistoryandresearch[.]comβwith a 5-year expiration window, signaling a deliberate and persistent stance against takedown efforts.β
More alarmingly, Pickai samples were discovered hosted on the official site of Rubick.ai, a commercial AI platform supporting e-commerce operations for over 200 major brands, including Amazon, Myntra, The Luxury Closet, and Hudson Bay. This raises significant concerns of downstream malware propagation, making it a supply chain attack.
Despite XLabβs notification to Rubick.ai on May 3, no public response has been issued.
XLabβs technical breakdown of Pickai reveals:
Encrypted strings reside in the .rodata section and are XORed with 0xAF. A custom IDAPython script facilitates static analysis and reveals critical configuration, such as:
- C2 server addresses
- Process spoofing options
- Persistence service names
Pickai copies itself to multiple locations and mimics legitimate Linux system services:
| File Path | Service Name |
|---|---|
| /usr/bin/auditlogd | auditlogd |
| /sbin/dmesglog | dmesglog |
| /var/run/healthmon | healthmon |
For non-root users, persistence is achieved via systemd in user space, using names like nano, vim, and ssh.config to avoid suspicion.
βPickai appends random data to the end of each fileβclearly aiming to evade hash-based detection.β
Pickaiβs protocol revolves around simple, padded 1024-byte packets using keywords like LISTEN|, UPDATE|, and STATUS|. The malware checks in with its C2 every two minutes for commands and rotates through a priority list of C2s every 12 hours.
XLab also captured live command activity:
βWe implemented Pickaiβs protocol in XLabβs command tracking system and observed only two instructions on June 6, both triggering reverse shells.β
Pickaiβs multi-instance, multi-path persistence strategy means removal is no simple task. According to XLab:
βPickaiβs redundant persistence mechanisms give it the traits of a stubborn trojanβany leftover copy can trigger a full resurgence.β
Related Posts:
- βGayfemboyβ Botnet Leveraging 0-Day Exploit in Four-Faith Industrial Routers
- Kiteshield Packer Emerges as a Significant Threat in Linux Malware Landscape
- The Safe C++ Extensions Proposal: Strengthening Security in a Complex Ecosystem
- New Melofee Backdoor Variant Targets Linux Systems with Advanced Stealth Tactics
- The Zero-Detection PHP Backdoor Glutton Exposed
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
