At a Glance
- Malware Family: Mycelium Framework
- Threat Actor: Unknown (suspected underground developer)
- Targets or Victims: Enterprise infrastructure
- Delivery Vector: Automated exploits, brute-force attacks
- Key Capabilities: AI inference, distributed computing, credential theft
- Source: Flare
TL;DR
Security researchers from Flare recently identified a new underground threat called the Mycelium Framework. Specifically, this malware operates as an AI-as-a-Service botnet. Therefore, it turns compromised systems into a distributed computing cluster for malicious tasks.
Delivery
Threat actors distribute the Mycelium Framework using an autonomous exploit engine. First, the malware targets internet-facing enterprise applications. Moreover, it includes more than 20 remote code execution modules. These modules attack systems like Microsoft Exchange, VMware vCenter, and GitLab. Additionally, the malware uses context-aware brute-force attacks. It targets SSH, SMB, and RDP services to spread laterally across networks.
Infection Chain
The framework uses a modular core loader. Subsequently, it dynamically loads plugins for different tasks. Interestingly, the malware does not treat infected machines as disposable bots. Instead, it classifies compromised systems based on their available resources. For example, it checks for CPU power, GPU access, local AI models, and stolen API keys.
The controller then assigns workloads dynamically. Premium nodes might run stolen GPT-4 sessions. Meanwhile, lower-tier nodes handle basic scanning or password cracking. Ultimately, this system creates a malicious compute cluster called NetGrid.

Command-and-Control and Data-Exfiltration
The Mycelium Framework uses an IRC-based command-and-control system. Furthermore, operators secure their communications using AES-256 encryption. This setup allows centralized management of thousands of nodes. The malware also includes a dedicated browser forensics module. Specifically, it extracts passwords, cookies, and browsing history from modern web browsers.
Attackers use this data to hijack active AI sessions and enterprise accounts. Moreover, the framework feeds stolen communication history into its internal AI engine. Consequently, the botnet generates highly personalized social engineering messages.
Defense or Detection Guidance
Defenders must patch external-facing enterprise applications immediately. Also, security teams should monitor network traffic for unexpected IRC communications. Organizations need to track unusual outbound connections to known AI service APIs. In addition, endpoint protection platforms should watch for unauthorized modifications to system startup files. Finally, analysts recommend rotating exposed API keys to prevent abuse by this AI-as-a-Service botnet.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.