Security researchers at Oligo Security said an ongoing campaign they call ShadowRay 2.0 has been active since at least September 2024, using internet‑facing instances of the open source Ray distributed computing framework to deploy a self‑replicating botnet that cryptomines, steals data and conducts distributed denial‑of‑service attacks.
Oligo and other researchers point to a critical, unpatched flaw tracked as CVE-2023-48022 that allows unauthenticated remote code execution via Ray’s dashboard API and carries a 9.8 CVSS rating. The vendor that developed Ray has said the framework is not intended for use outside a strictly controlled network environment and provided an update in a blog post; control of the project was recently transferred as part of a move described in a handed off Ray announcement.
Oligo researchers said the attackers, operating under the name IronErn440, have reached every Ray server the team inspected and are focusing on large clusters and GPU environments, with some exposed deployments worth millions of dollars in annual compute capacity. The researchers reported instances of lateral movement within victim networks, pivoting to non‑internet‑facing nodes, and access to proprietary assets including AI models, datasets, source code and cloud and database credentials.
The campaign uses a mix of automated discovery and built‑in Ray orchestration features, the researchers said. Attackers used the open source tool interact.sh to identify vulnerable dashboards by callback, then abused unauthenticated job submission to deploy multi‑stage Python payloads. The operation also steals capacity by abusing Ray’s scheduling features such as NodeAffinitySchedulingStrategy to run code on many nodes and limits resource usage to about 60 percent to reduce detection; payloads check for GPUs via nvidia‑smi and include region‑aware behavior and multiple AWS‑hosted command‑and‑control channels.
Oligo said the attackers initially used GitLab to host region‑aware malware and that GitLab removed the account on November 5; the operation then moved to GitHub on November 10 and GitHub blocked one account on November 17, after which new accounts appeared and activity resumed. The researchers characterized the campaign as automated because of its speed and resilience.