Cryptomining Campaign Exploiting Exposed Ray AI Infrastructure (Campaign)

ShadowRay 2.0 is an active, global cryptomining campaign that targets Ray clusters with unauthenticated dashboards/Jobs APIs (abusing behavior tracked as CVE-2023-48022). Attackers discover exposed instances via out-of-band callbacks, submit multi-stage Bash/Python Ray jobs to achieve remote code execution, use NodeAffinitySchedulingStrategy to push malicious jobs laterally across nodes, and deploy GPU-optimized miners (XMRig, Rigel) with process masquerading and resource-throttling to avoid detection. The campaign also installs persistent cron/systemd tasks, adds SSH backdoors, exfiltrates MySQL credentials, cloud tokens, models and datasets, kills competing miners, blocks rival pools, and repurposes compromised clusters to scan and infect new Ray instances, effectively operating like a worm.