Threat Intelligence Report

Hackers Are Attempting to Turn ComfyUI Servers Into a Cryptomining Proxy Botnet

📅 April 13, 2026 📰 censys.com 🔍 0 CVE(s) referenced

A sophisticated threat actor is actively hijacking Internet-exposed ComfyUI servers by exploiting their custom node ecosystem to deploy persistent, fileless cryptominers and proxy bots, rapidly evolving their toolkit to evade detection, kill competitors, and ensure re-infection, all managed through a central C2 infrastructure.

vendor

🔐 Sign In to Read Full Report

You'll need to accept our Terms of Service to access the platform.

📊 Visual Mindmap

🎯 IOC Extraction

⚔️ MITRE ATT&CK TTPs

📦 STIX 2.1 Bundle