Over 1,000 Exposed ComfyUI Instances Targeted in Cryptomining Botnet Campaign

Summary

A coordinated campaign is exploiting internet-exposed ComfyUI instances to recruit them into a cryptocurrency mining and proxy botnet. The attack uses a purpose-built Python scanner that continuously probes cloud IP ranges and automatically installs malicious nodes through ComfyUI-Manager, establishing persistence and command-and-control infrastructure for illicit mining operations.

Indicators of Compromise

• malware — ComfyUI cryptomining botnet

Entities