ShadowRay 2.0: Attackers Turn AI Against Itself in a Global Campaign That Hijacks AI Into a Self-Propagating Botnet www.oligo.security/blog/shad…
In early November 2025, the Oligo Security research team identified a new attack campaign exploiting the ShadowRay vulnerability (CVE-2023-48022) in Ray, a widely used open-source AI framework. This is the same flaw Oligo first observed being exploited in late 2023 and is now tracked by MITRE as ShadowRay, Campaign C0045.
In the latest activity, attackers used DevOps-style infrastructure and relied on GitLab to update and deliver region-aware malware. Oligo reported the activity to GitLab, and the malicious repository and account were removed on Nov. 5, 2025. However, Oligo has since confirmed that the attackers migrated to GitHub, where they created multiple accounts and repositories as of Nov. 10, 2025. The campaign remains active.
This new wave represents a major escalation from the initial ShadowRay exploitation. The threat actors, operating under the name IronErn440, are now weaponizing Ray’s legitimate orchestration features to support a self-propagating global cryptojacking operation capable of autonomously spreading across exposed Ray clusters.
