In a significant cybersecurity incident, a sophisticated malware campaign has targeted ComfyUI, a widely used AI image generation framework, compromising at least 695 servers globally. This attack underscores the escalating threats against AI infrastructures, with attackers exploiting vulnerabilities in ComfyUI to deploy a persistent backdoor known as Pickai.
Discovery and Initial Detection
The campaign first came to light in February 2025 when an early version of the malware was uploaded to VirusTotal from Hong Kong. By March, the full extent of the operation became evident as suspicious activities were detected across multiple regions. Security analysts from XLab identified the malware through their Cyber Threat Insight and Analysis System on March 17, 2025, flagging unusual behavior from IP address 185.189.149.151.
Exploitation of ComfyUI Vulnerabilities
ComfyUI, an open-source, node-based program, allows users to generate images from text prompts using diffusion models like Stable Diffusion. Its modular design, while flexible, has made it susceptible to exploitation. Attackers leveraged these vulnerabilities to distribute ELF executables disguised as configuration files, including config.json, tmux.conf, and vim.json. The malware’s name, Pickai, reflects its core function of stealing sensitive AI-related data, effectively acting as a digital pickpocket within AI development environments.
Global Impact and Botnet Formation
The campaign’s reach extends beyond individual server compromises, with infected systems primarily located in Germany, the United States, and China. Security researchers gained partial visibility into the botnet by registering an unclaimed command-and-control domain, revealing traffic spikes exceeding 400 daily active installations during periods when primary C2 servers failed.
Advanced Persistence Mechanisms
Pickai employs robust persistence strategies that distinguish it from conventional backdoors. When operating with root privileges, the malware creates five separate copies of itself across different system directories, each with synchronized modification timestamps matching /bin/sh to blend with legitimate system files. These copies are strategically placed in locations such as /usr/bin/auditlogd, /usr/sbin/hwstats, /sbin/dmesglog, /var/lib/autoupd, and /var/run/healthmon, masquerading as legitimate system services.
Each copy implements dual persistence mechanisms using both init.d and system service frameworks, creating a total of ten different services for root-level infections. The malware deliberately appends random data to each file copy, ensuring that hash-based detection systems encounter different MD5 signatures for what is essentially the same malicious payload.
For non-root users, Pickai maintains five persistence points using systemd services in user-space directories, demonstrating its adaptability across different privilege levels. This redundant approach means that incomplete removal attempts will trigger automatic reinfection, making the malware particularly challenging to eradicate from compromised systems.
Broader Implications and Related Incidents
This incident is part of a broader trend where cybercriminals exploit AI tools to spread malware. For instance, in May 2025, threat actors linked to lesser-known ransomware and malware projects used AI tools as lures to infect unsuspecting victims with malicious payloads. These lures have become widely adopted by info-stealer malware operators and ransomware operations attempting to breach corporate networks. Cisco Talos researchers discovered that smaller ransomware teams, such as CyberLock, Lucky_Gh0$t, and a new malware named Numero, are now using similar techniques. The malicious payloads are promoted via SEO poisoning and malvertising to rank them high in search engine results for specific terms.
Recommendations for Mitigation
To mitigate such threats, organizations using AI tools like ComfyUI should implement robust security measures, including:
– Regular Updates and Patching: Ensure that all software components are up-to-date to protect against known vulnerabilities.
– Network Segmentation: Isolate critical systems to prevent lateral movement of malware within the network.
– Monitoring and Logging: Implement comprehensive monitoring to detect unusual activities promptly.
– User Education: Train staff to recognize phishing attempts and other common attack vectors.
By adopting these practices, organizations can enhance their resilience against sophisticated cyber threats targeting AI infrastructures.
