ShadowRay 2.0 Exploits Unpatched Ray Flaw to Build Self-Spreading GPU Cryptomining Botnet

ShadowRay 2.0 is exploiting an unpatched vulnerability in Ray—the open-source distributed computing framework—to build a self-spreading botnet that hijacks GPU clusters for cryptomining and DDoS attacks. This isn't just another cryptojacking script; it's a sophisticated, self-replicating threat that automatically propagates across exposed Ray instances.

The malware specifically targets Ray clusters left exposed to the internet without authentication, leveraging the unpatched flaw to gain initial access. Once inside, it deploys multiple payloads: a Monero cryptominer that maxes out GPU resources for profit, and a DDoS module that can be weaponized for coordinated attacks.

What makes ShadowRay 2.0 particularly dangerous is its worm-like capability to scan for and infect other vulnerable Ray instances, creating a rapidly expanding botnet. Security researchers warn that this could lead to widespread resource hijacking across cloud and on-premise GPU clusters, impacting AI/ML workloads, rendering farms, and scientific computing infrastructure.

The attack demonstrates how attackers are increasingly targeting distributed computing frameworks—not just traditional servers—to build massive, resource-rich botnets. Ray's popularity in AI/ML and data processing makes it a high-value target for cryptojacking campaigns.

Organizations using Ray are urged to immediately implement network segmentation, enable authentication, and monitor for unusual GPU activity. Until a patch is available, the primary defense is proper configuration and access controls.