ShadowRay 2.0 Exploits Ray Vulnerability to Hijack AI Clusters

Security researchers have identified a rapidly escalating global campaign that leverages a known flaw in Ray, an open-source framework used extensively for distributed AI and high-performance computing. 

Oligo security researchers first detected the activity in early November 2025 after discovering that the attackers were distributing region-specific malware through GitLab repositories. 

This new wave reflects a major evolution from the original ShadowRay activity first observed in March 2024, demonstrating increased sophistication and operational agility among the threat actors.

Scale of the Attack

Researchers also highlighted the scale of exposure, noting that “… there are now more than 230,000 Ray servers exposed to the internet, in contrast to the few thousand we observed during our initial ShadowRay discovery.”

The latest attack, known as ShadowRay 2.0, exploits vulnerability CVE-2023-48022 to compromise large-scale AI clusters and covertly convert them into cryptocurrency mining infrastructure. 

The threat group behind the campaign, operating under the name IronErn440, has transformed Ray’s legitimate orchestration capabilities into mechanisms for large-scale, self-propagating exploitation. 

Following GitLab’s removal of the malicious repository on Nov. 5, the attackers quickly migrated operations to GitHub, where the campaign continued uninterrupted.

How the ShadowRay 2.0 Attack Works

The campaign unfolds in several coordinated stages beginning with reconnaissance. 

Threat actors employ interact.sh, an out-of-band interaction platform, to identify vulnerable Ray instances without performing noisy scans that might trigger intrusion detection systems.

Attackers then target Ray’s unauthenticated Jobs API, which allows them to trigger callbacks from exposed Ray dashboards and confirm which servers can be compromised.

Once identified, vulnerable servers receive malicious tasks submitted directly through Ray’s orchestration mechanisms. 

These tasks include Python scripts designed to enumerate cluster resources, allocate computing power to malicious workloads, and deploy cryptocurrency miners built to blend into legitimate system processes. 

Notably, the miners typically use approximately 60% of available CPU and GPU resources, an intentional threshold that maximizes mining efficiency while lowering the risk of detection by administrators monitoring resource spikes.

Attackers use Ray’s NodeAffinitySchedulingStrategy to propagate malware across an entire cluster. 

A sample payload observed by researchers downloads and executes an installation script, enumerates active nodes, and deploys additional malicious components to each system.

Persistence is established through cron jobs, systemd service hijacking, and SSH key injection into privileged accounts.

Inside the Campaign’s Stealth Techniques

ShadowRay 2.0 demonstrates advanced evasion techniques. Malicious processes are renamed to resemble legitimate kernel workers — such as [kworker/0:0] — and DNS-related services to obscure their presence. 

The attackers also engage in cryptojacking warfare, installing scripts that detect and terminate other miners on the same host. 

They further block competing mining pools by modifying host files and applying iptables rules to prevent rivals from reclaiming compromised infrastructure.

The operation also includes regional customization. 

Victims in China receive payloads delivered through proxy mechanisms tailored to circumvent local network controls. 

Geolocation checks via services such as ip-api[.]com allow attackers to adjust their infection scripts depending on where the compromised server resides. 

This level of adaptation suggests a mature operational strategy influenced by infrastructure-as-code (IaC) principles, in which payload updates are managed through incremental GitLab commits rather than redeployment to victim machines.

Key Mitigations to Block ShadowRay-Style Threats

To defend against ShadowRay 2.0 and similar attacks, organizations need to take a layered and proactive approach to securing their AI infrastructure. 

Because Ray clusters often operate with broad privileges and high compute capacity, even a single misconfiguration can create a significant entry point for threat actors.

• Patch and secure Ray deployments by updating to fixed versions, enabling authentication for dashboards and APIs, and disabling unused components.
• Restrict exposure of Ray endpoints by placing them behind firewalls or zero-trust access controls and removing public internet access wherever possible.
• Harden CI/CD and compute nodes with least-privilege permissions, RBAC, and container isolation to limit lateral movement and privilege abuse.
• Monitor cluster behavior continuously, including CPU/GPU anomalies, suspicious subprocess execution, unauthorized cron/systemd changes, and unexpected SSH key additions.
• Limit network egress from Ray nodes and CI environments to block miner connections, command-and-control traffic, and data exfiltration.
• Protect development and repository workflows with signed commits, branch protections, and safeguards against supply-chain poisoning.
• Adopt ephemeral and resilient infrastructure practices, such as auto-reimaging compute nodes and rotating credentials regularly, to reduce the persistence window for attackers.

Building layers of defense around orchestration tools, development workflows, and compute infrastructure helps ensure that a single misconfiguration does not become a systemic failure point. 

The Rising Security Risks in AI Infrastructure

ShadowRay 2.0 illustrates the growing convergence between AI infrastructure and cybercrime. 

By exploiting a single flaw, attackers can commandeer powerful distributed computing clusters and repurpose them at scale for illicit operations. 

As AI workloads continue to grow in complexity and resource intensity, securing orchestration tools like Ray is essential to preventing widespread misuse and protecting the broader ecosystem.

These challenges highlight why organizations are turning to zero-trust to reduce implicit trust across their AI environments.