Hackers Are Attempting to Turn ComfyUI Servers Into a Cryptomining Proxy Botnet

Censys ARC discovered an active campaign exploiting unauthenticated ComfyUI custom-node functionality to achieve RCE on Internet-exposed instances, automatically installing a multi-component toolkit (ghost.sh, XMRig, lolMiner, hyst.sh) that implements advanced evasion (memfd_create fileless execution, LD_PRELOAD rootkit), multi-mechanism persistence and re-infection, and central management via a Flask C2 for cryptomining and a Hysteria v2 proxy botnet; the report includes exploitation tooling, payloads, IoCs (file hashes, IPs, cert), and operational details.