Hackers Compromise 700+ ComfyUI AI Image Generation Servers to Distribute Malware

Security researchers have uncovered that threat actors have compromised more than 700 servers running ComfyUI, a popular open-source AI image generation framework.

The attackers leveraged multiple high-risk vulnerabilities in ComfyUI to deploy a sophisticated backdoor, named “Pickai,” with the primary intent to establish persistent remote access and exfiltrate sensitive data from both AI infrastructure and supply chain partners.

The campaign highlights the growing security risks within AI development ecosystems and the potential for rapid supply chain propagation of malware.

Malware Campaign Targets AI Supply Chain

XLab’s Cyber Threat Insight and Analysis System (CTIA) identified suspicious activity emanating from IP 185.189.149.151.

Threat actors were observed distributing ELF executables masquerading as benign configuration files (such as config.json and vim.json), which, upon inspection, were confirmed as Pickai backdoor payloads.

China’s National Cybersecurity Notification Center soon issued an urgent bulletin warning of ongoing attacks exploiting ComfyUI’s vulnerabilities, underscoring the global impact and advanced nature of the campaign.

Pickai is a lightweight yet potent C++ backdoor designed for stealth and resilience. It employs process masquerading, anti-debugging, and variable persistence strategies.

Pickai achieves persistence through creatively named systemd and init.d services (such as auditlogd and hwstats), and by randomly selecting one of 20 plausible process names to blend in with legitimate Linux processes.

The malware also copies itself to multiple locations with appended random data, defeating hash-based detection.

Pickai Backdoor Exploits Vulnerabilities in ComfyUI

The command-and-control (C2) infrastructure displays notable redundancy and sophistication. Pickai cycles through a list of hardcoded C2 servers, regularly testing each to maintain uptime.

When a domain was hijacked by researchers, the attackers swiftly migrated to a new domain (historyandresearch.com) with a five-year registration, evidencing a strategic focus on resilience and longevity against takedowns.

Network communications follow a custom protocol: 1024-byte heartbeat, command, and reporting packets, with device fingerprinting (including user privilege and Docker detection) and remote command execution capabilities.

The malware supports shell command execution and opening remote shells for interactive control.

XLab’s analysis showed the majority of observed C2 commands issued reverse shells, though the full attack lifecycle remains under investigation.

A particularly concerning vector emerged when Pickai samples were detected being served from Rubick.ai an AI-powered platform supporting major global e-commerce brands like Amazon, Myntra, Hudson Bay, and The Luxury Closet.

As Rubick.ai provides upstream catalog and image generation services, its compromise posed a textbook supply chain threat, potentially delivering backdoors to hundreds of downstream enterprise environments.

Despite notification from researchers, Rubick.ai remained unresponsive, exacerbating risks to its extensive customer base.

Pickai’s redundant persistence and code diversity make it challenging to thoroughly eradicate.

Security teams are strongly advised to conduct in-depth forensic reviews, focusing on both file and behavioral IOCs and ensuring every implanted copy is identified and removed.

The campaign demonstrates that as AI becomes more foundational to enterprise operations, its supporting tools and infrastructure will present valuable targets for financially and geopolitically motivated threat actors.

Indicators of Compromise (IOC)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates