Breaking
Adobe Patches Actively Exploited Acrobat Reader Flaw CVE-2026-34621 Hackers Hide Credit Card Stealer in Pixel-Sized SVG Images Targeting Magento Stores Microsoft Suspends Developer Accounts for High-Profile Open Source Projects European Commission Confirms Data Breach Linked to Trivy Supply Chain Attack Ransomware Attacks Surge in 2026: Healthcare and Finance Most Targeted Google Chrome Zero-Day Vulnerability Actively Exploited – Update Immediately Adobe Patches Actively Exploited Acrobat Reader Flaw CVE-2026-34621 Hackers Hide Credit Card Stealer in Pixel-Sized SVG Images Targeting Magento Stores Microsoft Suspends Developer Accounts for High-Profile Open Source Projects European Commission Confirms Data Breach Linked to Trivy Supply Chain Attack Ransomware Attacks Surge in 2026: Healthcare and Finance Most Targeted Google Chrome Zero-Day Vulnerability Actively Exploited – Update Immediately
Latest Threat Intel Zero-Days Data Breaches Analysis
Live threat feed May 18, 2026 | 10:53 UTC
3988 CVEs This Month
6 Actively Exploited
2 Ransomware Activity
18 Breaches YTD
Threat Investigation Portal
Investigate an IOC in the live graph workspace.
Investigate IOC
Botnets

Over 1,000 Exposed ComfyUI Instances Targeted in Cryptomining Botnet Campaign

Thirumala Rao Padilam Thirumala Rao Padilam April 7, 2026
Over 1,000 Exposed ComfyUI Instances Targeted in Cryptomining Botnet Campaign

A widespread campaign is actively scanning and compromising internet-exposed ComfyUI instances, a platform for stable diffusion, to enlist them into a cryptocurrency mining and proxy botnet. The attackers deploy a Python-based scanner to identify vulnerable targets across major cloud IP ranges and automatically install malicious nodes where possible.

What happened

Researchers identified an ongoing malicious campaign targeting exposed ComfyUI instances accessible over the internet. Attackers use a custom Python scanner to search major cloud IP ranges for vulnerable systems running ComfyUI. When an exploitable instance is found, the campaign automatically deploys malicious nodes via ComfyUI-Manager to integrate these systems into a cryptomining and proxy botnet network.

Why it matters

The compromise of ComfyUI instances can lead to unauthorized resource usage for cryptomining and increased proxy capabilities for attackers, imposing operational and security risks for affected systems. The automated nature of this campaign highlights vulnerabilities in cloud-exposed platforms that can be targeted at scale.

Key technical details

The attackers use a purpose-built Python scanner to continuously sweep large cloud IP ranges for exposed ComfyUI instances. If no pre-existing malicious node is found on a target, the scanner automatically installs a new one through ComfyUI-Manager, creating a node within the cryptocurrency mining and proxy botnet infrastructure.

Affected organizations/products

Internet-exposed instances running the ComfyUI platform on major cloud IP ranges.

Source attribution

https://thehackernews.com/2026/04/over-1000-exposed-comfyui-instances.html

Thirumala Rao Padilam
Written by
Thirumala Rao Padilam
error: Content is protected !!