New botnet hunts exposed AI servers to steal cloud keys

A new botnet is scanning the internet for exposed artificial intelligence servers and cloud consoles, then quietly draining the credentials and model access it finds. Researchers at Xlab, the threat research team at QiAnXin, say the Go based malware folds scanning, exploitation, and credential theft into a single automated platform that spreads without an operator at the keyboard. Because its controller refers to itself as the "n4d mesh controller," Xlab named it NadMesh.

What makes NadMesh notable is not that it spreads like a worm, but what it goes looking for. Alongside the usual internet facing databases and container APIs, it deliberately hunts for the machines that run modern AI stacks, and it treats them as the highest value targets on the network.

What NadMesh is after

NadMesh uses the Shodan search engine to find publicly reachable AI services, including ComfyUI, Ollama, n8n, Open WebUI, Langflow, and Gradio installations, and pushes those addresses to the front of its attack queue. Once it lands on a host, it does not care much about the machine itself. It grabs the things that let an attacker pivot into the cloud: AWS access keys, Amazon Bedrock credentials, Kubernetes cluster admin tokens, environment variable secrets, and any AI model endpoints or exploitable tool servers it can reach.

That last category is the striking part. NadMesh specifically enumerates Model Context Protocol (MCP) servers, the connectors that let AI assistants call external tools, and flags ones exposing commands such as execute_sql and execute_shell as exploitable. Where it finds an MCP server it can reach, it abuses the protocol's own tools/call method to run commands on the host, turning an AI integration into a remote code execution foothold.

How it spreads

The malware carries more than 20 exploitation techniques aimed at commonly exposed services, including Redis, Docker, Kubernetes, Elasticsearch, Jenkins, and older WebLogic servers vulnerable to CVE-2016-0638. It probes some 30 ports per host, including the default ports for ComfyUI (8188), Ollama (11434), n8n (5678), and Gradio (7860). A feedback loop on the operator's server amplifies scanning of the address ranges that yield the most compromises, and automatically blacklists suspected honeypots after repeated failures, a sign the author is actively watching for researchers.

NadMesh is also built to survive cleanup. On each victim it plants three independent persistence mechanisms at once: an SSH backdoor written to authorized_keys, hidden agent files in locations such as /dev/shm/.a and /var/tmp/.a, and disguised cron jobs under /etc/cron.d. Remove one and the others restore it. Every agent is built with obfuscation, packing, and random padding so that no two samples share a hash, defeating simple signature based detection. Infected hosts talk to each other over a peer to peer mesh, letting the botnet spread sideways inside a network on its own.

A productized operation

Xlab describes NadMesh as industrial grade rather than a hobbyist's script. The controller ships with a web dashboard, conversion funnel statistics that track how many compromises turn into successful deployments, and a staged update system with canary rollouts. The team assesses the campaign is still in an early stage, which means defenders have a window to lock down exposure before it scales.

The interest in MCP servers and AI tooling continues a pattern IntelFusions has tracked closely. Trend Micro earlier documented SQL injection in a widely forked MCP reference server, and separate research showed attackers building botnets with the help of AI assistants. NadMesh takes the next step, treating exposed AI infrastructure as a credential goldmine.

What you should do

Do not expose AI services such as Ollama, ComfyUI, or Open WebUI directly to the internet, and put authentication in front of any MCP server, especially ones that can run SQL or shell commands. Lock down internet facing Redis, Docker, Kubernetes, and Elasticsearch instances, patch legacy WebLogic servers, and rotate any AWS or Bedrock keys that may have been exposed on a reachable host. Hunt for the persistence artifacts above and block the known indicators: command and control at 209[.]99[.]186[.]235 and cdnorigin[.]net, and the agent sample with SHA1 31c69b3e12936abca770d430066f379ec1d997ec.

This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.

Read the full analysis on IntelFusions