ShadowRay 2.0 represents an advanced persistent threat campaign targeting the Ray AI framework, a popular distributed computing framework used for AI workloads. The attackers exploit CVE-2023-48022, a vulnerability that allows unauthorized control over exposed Ray clusters. By compromising these clusters, the adversaries convert them into nodes of a self-replicating botnet capable of multiple malicious functions. The campaign uses GitLab and GitHub repositories to deliver payloads, employing AI-generated code to continuously evolve and evade detection. Initially, the botnet focused on cryptojacking using tools like XMRig, but it has since expanded capabilities to include distributed denial-of-service (DDoS) attacks, data exfiltration, and network reconnaissance. The attackers utilize DevOps-style infrastructure, enabling real-time updates and modular malware deployment, which complicates traditional detection and response efforts. The campaign is attributed to the threat actor group IronErn440. Indicators of compromise include multiple CVEs (CVE-2023-48022, CVE-2024-50050, CVE-2025-49596), various malicious file hashes, IP addresses, and domains. The threat underscores the growing risks associated with AI infrastructure and the need for robust security controls around AI workloads and their orchestration environments. Although no confirmed public exploits are reported, the active campaign and available indicators suggest imminent risk to organizations running vulnerable Ray clusters.

For European organizations, the ShadowRay 2.0 campaign poses significant risks due to the increasing adoption of AI and distributed computing frameworks like Ray. Compromise of AI clusters can lead to unauthorized resource consumption (cryptojacking), disruption of services through DDoS attacks, and leakage of sensitive data processed or stored within these environments. The self-propagating nature of the botnet increases the likelihood of rapid lateral movement and widespread infection within enterprise networks. Organizations relying on AI workloads for critical business functions or research may face operational downtime, reputational damage, and regulatory consequences under GDPR if personal data is exfiltrated. The use of DevOps pipelines for malware updates further complicates incident response and containment. Additionally, the campaign's use of legitimate platforms (GitHub, GitLab) for payload delivery may bypass traditional security controls, increasing the risk of successful compromise. The evolving sophistication of the threat actor and their ability to adapt AI-generated code means that static defenses may be insufficient, requiring continuous monitoring and proactive threat hunting.

1. Immediately audit all Ray AI framework deployments to identify exposed clusters and restrict access to trusted networks only, using network segmentation and firewall rules. 2. Monitor DevOps pipelines and repositories (GitHub, GitLab) for unauthorized or suspicious activity, including unexpected code commits or pipeline executions. 3. Implement strict access controls and multi-factor authentication (MFA) for all infrastructure and code repositories involved in AI workloads. 4. Deploy runtime security monitoring on AI clusters to detect anomalous behaviors such as unusual network traffic, process spawning, or cryptomining activity. 5. Establish robust logging and alerting mechanisms focused on the indicators of compromise provided (hashes, IPs, domains). 6. Prepare incident response plans specifically addressing AI infrastructure compromise scenarios, including containment and eradication procedures. 7. Engage with vendors and security communities to track patch releases for CVE-2023-48022 and related vulnerabilities (CVE-2024-50050, CVE-2025-49596) and apply them promptly. 8. Conduct regular threat hunting exercises focusing on lateral movement techniques and persistence mechanisms used by the botnet. 9. Educate DevOps and AI teams about the risks of using public code repositories for payload delivery and enforce code review policies. 10. Consider deploying deception technologies or honeypots mimicking Ray clusters to detect early intrusion attempts.