A complicated malware marketing campaign focusing on ComfyUI, a well-liked AI picture technology framework, has efficiently compromised no less than 695 servers worldwide, safety researchers have found.
The assault represents a major escalation in threats towards AI infrastructure, exploiting vulnerabilities in ComfyUI to deploy a light-weight however extremely persistent backdoor dubbed “Pickai.”
The marketing campaign first emerged in February 2025 when an early model of the malware was uploaded to VirusTotal from Hong Kong, however the full scope of the operation grew to become obvious in March when suspicious exercise was detected throughout a number of geographic areas.
The attackers have demonstrated exceptional persistence and class, using compromised infrastructure together with the official web site of Rubick.ai, a industrial AI platform serving over 200 main retail manufacturers together with Amazon, Myntra, and Hudson Bay.
XLab analysts recognized the malware by way of their Cyber Menace Perception and Evaluation System on March 17, 2025, once they flagged suspicious habits from IP deal with 185.189.149.151.
The researchers found that attackers have been leveraging ComfyUI vulnerabilities to distribute ELF executables disguised as configuration information, together with config.json, tmux.conf, and vim.json.
The malware’s title “Pickai” displays its core performance of stealing delicate AI-related knowledge, working as a digital pickpocket inside AI growth environments.
The worldwide impression of this marketing campaign extends far past particular person server compromises, with contaminated methods concentrated primarily in Germany, america, and China.
Safety researchers obtained partial visibility into the botnet by registering an unclaimed command-and-control area, revealing visitors spikes exceeding 400 day by day energetic installations during times when major C2 servers failed.
Superior Persistence Mechanisms Guarantee Lengthy-Time period Compromise
The Pickai malware employs an unusually strong persistence technique that units it aside from typical backdoors.
When working with root privileges, the malware creates 5 separate copies of itself throughout totally different system directories, every with synchronized modification timestamps matching /bin/sh to mix with legit system information.
These copies are strategically positioned in areas resembling /usr/bin/auditlogd, /usr/sbin/hwstats, /sbin/dmesglog, /var/lib/autoupd, and /var/run/healthmon, masquerading as legit system providers.
Community Communication (Supply – XLab)
Every copy implements twin persistence mechanisms utilizing each init.d and system service frameworks, creating a complete of ten totally different providers for root-level infections.
The malware intentionally appends random knowledge to every file copy, making certain that hash-based detection methods encounter totally different MD5 signatures for what is basically the identical malicious payload.
For non-root customers, Pickai maintains 5 persistence factors utilizing systemd providers in user-space directories, demonstrating its adaptability throughout totally different privilege ranges.
This redundant method signifies that incomplete removing makes an attempt will set off computerized reinfection, making the malware notably difficult to eradicate from compromised methods.
Are you from SOC/DFIR Groups! – Work together with malware within the sandbox and discover associated IOCs. – Request 14-day free trial
