08 Apr ComfyUI AI Platform Exploited in Large-Scale Cryptomining Botnet Campaign: Critical Warning for Dental Practices Using AI Tools
Security researchers have uncovered a sophisticated campaign targeting over 1,000 internet-exposed instances of ComfyUI, a popular stable diffusion AI platform, enlisting them into a cryptocurrency mining and proxy botnet operation. This development poses significant risks for dental practices increasingly adopting AI-powered tools for imaging, patient communication, and practice management.
The ComfyUI Exploitation Campaign
Censys security researchers discovered the active campaign that systematically scans for exposed ComfyUI instances across major cloud IP ranges. The attackers exploit a critical misconfiguration that allows remote code execution on unauthenticated deployments through custom nodes—a feature that enables ComfyUI to accept and execute custom Python code.
The attack methodology is particularly concerning for its automation and persistence mechanisms. A purpose-built Python scanner continuously sweeps cloud infrastructure, automatically installing malicious nodes via ComfyUI-Manager if no exploitable node is already present. Upon successful exploitation, compromised hosts are immediately enlisted into both cryptocurrency mining operations and a Hysteria V2 botnet.
Dual-Purpose Malware Deployment
Once code execution is achieved, the attackers deploy sophisticated malware that serves multiple purposes:
- Cryptocurrency Mining: XMRig miners target Monero while lolMiner focuses on Conflux, generating revenue through computational theft
- Proxy Network: Compromised systems join a Hysteria V2 botnet, likely sold as proxy services to other threat actors
- Competitive Sabotage: The malware specifically targets rival mining operations, particularly the “Hisana” botnet, redirecting their mining output to the attackers’ wallets
The malware employs multiple persistence mechanisms, including LD_PRELOAD hooks, watchdog processes, and the “chattr +i” command to lock miner binaries and prevent their removal even by system administrators.
Critical Implications for Dental Practices
This campaign represents a significant threat to dental practices for several reasons. Many practices are experimenting with AI tools for image enhancement, treatment planning visualization, and patient education materials. ComfyUI and similar stable diffusion platforms are increasingly popular for generating custom imagery and educational content.
The financial impact extends beyond stolen computational resources. Cryptocurrency mining operations consume substantial electricity and computing power, potentially leading to unexpected infrastructure costs and reduced system performance. More critically, compromised systems provide attackers with persistent access to practice networks, potentially exposing sensitive patient data and HIPAA-protected information.
Broader Botnet Landscape Expansion
Security researchers note that botnet activity has surged 26% in the first half of 2025 and 24% in the second half, with attacks increasingly targeting cloud infrastructure and connected devices. This ComfyUI campaign represents part of a broader trend where threat actors exploit emerging technologies and platforms before security best practices are widely adopted.
The campaign’s infrastructure, traced to Aeza Group—a bulletproof hosting provider—demonstrates the professional nature of these operations. The attackers maintain a Flask-based command-and-control dashboard for centralized management and have developed specialized tools targeting specific competitor operations.
Immediate Protection Measures
Dental practices using or considering AI tools must implement immediate protective measures. Any ComfyUI instances should be removed from internet-accessible networks and placed behind proper authentication controls. Regular security audits of all AI and cloud-based tools are essential, with particular attention to custom node or plugin installations.
Network monitoring should include detection of unusual computational activity, unexpected outbound connections, and abnormal electricity consumption patterns. Practices should also implement strict access controls for any AI development or experimentation environments, ensuring they remain isolated from production systems containing patient data.
Long-Term Security Strategy
This incident highlights the critical importance of security-first approaches when adopting new technologies. Dental practices must establish clear policies for evaluating and deploying AI tools, including mandatory security assessments and ongoing monitoring requirements.
As AI adoption accelerates in dental practice management, the attack surface continues to expand. Practices should work with qualified IT security professionals to develop comprehensive risk assessment frameworks specifically addressing AI tool deployment and management in healthcare environments.
The ComfyUI botnet campaign serves as a stark reminder that cybercriminals rapidly adapt to exploit new technologies, making proactive security measures essential for protecting patient data and practice operations in an increasingly connected healthcare landscape.