ComfyUI Servers Under Active Botnet Attack Campaign
Security researchers have identified an ongoing campaign targeting ComfyUI, a widely-used stable diffusion platform for AI image generation, to build a cryptocurrency mining and proxy botnet. The attack leverages internet-exposed ComfyUI instances running on cloud infrastructure to automatically install malicious components through the platform's built-in ComfyUI-Manager extension system.
The campaign employs a sophisticated Python-based scanner that continuously sweeps major cloud provider IP ranges, specifically hunting for vulnerable ComfyUI installations. Once a target is identified, the automated system exploits the ComfyUI-Manager's node installation functionality to deploy malicious payloads without requiring authentication or user interaction. This approach allows attackers to rapidly scale their botnet operations across cloud environments.
ComfyUI has gained significant popularity among AI developers and researchers as an open-source platform for creating stable diffusion workflows. The platform's modular architecture allows users to install custom nodes through ComfyUI-Manager, which provides access to community-developed extensions and tools. However, this extensibility has become a vector for abuse when instances are left exposed to the internet without proper security controls.
The attack timeline suggests this campaign has been active for several weeks, with the Python scanner demonstrating advanced capabilities for target identification and payload deployment. The malicious infrastructure appears designed for long-term persistence, indicating this isn't an opportunistic attack but rather a coordinated effort to build a substantial botnet network leveraging AI computing resources.
Security analysts note that the campaign specifically targets cloud-hosted instances, likely due to their higher computational power and network bandwidth compared to personal installations. The attackers appear to have detailed knowledge of ComfyUI's architecture and the ComfyUI-Manager extension system, suggesting either insider knowledge or extensive reconnaissance of the platform's codebase and deployment patterns.
Cloud-Hosted ComfyUI Instances at Primary Risk
The campaign primarily affects organizations and individuals running ComfyUI instances on public cloud infrastructure with internet-accessible endpoints. This includes AI research labs, creative studios, and individual developers who have deployed ComfyUI on platforms like Amazon Web Services, Google Cloud Platform, Microsoft Azure, and other major cloud providers without implementing proper network security controls.
Particularly vulnerable are default ComfyUI installations that expose the web interface on standard ports without authentication mechanisms. Many users deploy ComfyUI for experimentation or development purposes and inadvertently leave these instances accessible from the internet. The platform's default configuration doesn't enforce authentication, making it trivial for automated scanners to identify and compromise exposed installations.
Organizations running ComfyUI in containerized environments, such as Docker deployments or Kubernetes clusters, face additional risk if their container orchestration platforms have misconfigured network policies. The Python scanner appears capable of identifying ComfyUI instances regardless of the underlying deployment method, focusing on the application layer rather than infrastructure-specific vulnerabilities.
The impact extends beyond direct computational theft, as compromised instances become part of a larger botnet infrastructure used for cryptocurrency mining and proxy operations. This means affected organizations may unknowingly participate in illegal activities or face increased cloud computing costs due to unauthorized resource consumption. Additionally, the proxy functionality could potentially expose organizations to legal liability if their compromised instances are used for malicious traffic routing.
Immediate Steps to Secure ComfyUI Deployments
Organizations running ComfyUI instances must immediately implement network-level access controls to prevent unauthorized access. The most effective immediate mitigation is to restrict access to ComfyUI web interfaces using firewall rules, VPN connections, or cloud provider security groups. Administrators should configure their cloud security groups to allow access only from trusted IP addresses or internal network ranges, completely blocking public internet access to ComfyUI ports.
For existing deployments, administrators should audit their ComfyUI-Manager installations for any suspicious or unauthorized nodes. The ComfyUI-Manager interface provides a list of installed custom nodes that should be reviewed against known legitimate extensions. Any unrecognized or recently installed nodes should be immediately removed and the instance should be considered potentially compromised. A complete reinstallation may be necessary for instances showing signs of compromise.
To prevent future attacks, organizations should implement authentication mechanisms for ComfyUI access, even though the platform doesn't provide built-in authentication. This can be achieved through reverse proxy configurations using tools like Nginx or Apache with HTTP basic authentication, or by deploying ComfyUI behind a VPN or bastion host architecture. Cloud providers also offer application-level security services that can add authentication layers to web applications.
Network monitoring should be implemented to detect unusual outbound traffic patterns that might indicate cryptocurrency mining or proxy activities. Administrators should monitor for unexpected network connections to mining pools, unusual CPU utilization patterns, or bandwidth consumption that exceeds normal ComfyUI operation parameters. CISA's Known Exploited Vulnerabilities catalog should be regularly consulted for any new vulnerabilities affecting AI platforms and related infrastructure components.
