Pickai is a sophisticated backdoor malware developed in C++ that exploits vulnerabilities in ComfyUI, a user interface framework used in AI applications. The malware enables remote command execution and reverse shell capabilities, allowing attackers to gain persistent and stealthy control over infected systems. Pickai employs multiple advanced evasion and persistence techniques, including string encryption to obfuscate its code, process disguise to avoid detection by security tools, and multiple mechanisms to maintain persistence across system reboots. It communicates with its command and control (C2) infrastructure using a three-tier timing strategy, which helps evade network-based detection by varying communication intervals. The malware uses multiple C2 servers for redundancy, ensuring continued control even if some servers are taken down. Notably, Pickai has infected nearly 700 devices globally and is hosted on Rubick.ai, an AI e-commerce platform that serves major brands, indicating a significant supply chain risk. This supply chain vector could allow the malware to spread widely through trusted AI software components or updates. The malware's primary objective appears to be the theft of sensitive AI data, which could include proprietary models, training data, or intellectual property. Indicators of compromise include several file hashes, IP addresses, and URLs linked to the malware’s infrastructure. Despite the lack of a specific CVE or known exploits in the wild, the malware’s capabilities and infection scale suggest a well-developed threat targeting AI ecosystems through ComfyUI vulnerabilities.

For European organizations, especially those involved in AI development, research, or deployment, Pickai poses a significant risk. The theft of sensitive AI data can lead to intellectual property loss, competitive disadvantage, and potential regulatory penalties under GDPR if personal data is involved. The malware’s persistence and evasion techniques make detection and removal challenging, increasing the risk of prolonged unauthorized access. The supply chain aspect, involving Rubick.ai, raises concerns for companies relying on AI e-commerce platforms or third-party AI components, as infections could propagate through trusted software updates or integrations. Additionally, the remote command execution and reverse shell capabilities could allow attackers to pivot within networks, escalate privileges, and disrupt AI services or broader IT infrastructure. This could impact availability and integrity of AI systems critical for business operations. The infection of nearly 700 devices globally indicates a non-trivial spread, suggesting that European organizations using ComfyUI or related AI tools could be targeted or collateral victims. The malware’s use of multiple C2 servers and obfuscation complicates incident response and forensic analysis.

1. Conduct immediate vulnerability assessments on all systems running ComfyUI or related AI UI frameworks to identify potential exposure. 2. Implement strict network segmentation and monitoring for AI development environments to limit lateral movement if infection occurs. 3. Deploy advanced endpoint detection and response (EDR) solutions capable of detecting obfuscation techniques such as string encryption and process disguise. 4. Monitor network traffic for anomalous patterns consistent with three-tier timing strategies and communications to known C2 IPs and URLs associated with Pickai. 5. Validate and verify the integrity of AI software components and updates sourced from Rubick.ai or similar platforms, employing cryptographic signatures and supply chain security best practices. 6. Establish incident response playbooks specific to AI infrastructure compromises, including rapid isolation and forensic analysis of affected systems. 7. Educate AI development and IT teams about the risks of supply chain attacks and the importance of secure coding and update practices. 8. Regularly update and patch ComfyUI and related dependencies as vendors release fixes, even though no specific patches are currently listed, maintain vigilance for future advisories. 9. Utilize threat intelligence feeds to stay updated on new indicators of compromise related to Pickai and integrate them into security monitoring tools. 10. Consider implementing application allowlisting and restricting execution of unauthorized binaries in AI environments to reduce infection risk.