Emerging Threats: New Botnets Exploit Vulnerabilities for Crypto Mining

The rise of botnets like ShadowRay and Tsundere is spotlighting significant cybersecurity risks associated with cryptocurrency mining. Oligo Security has reported that ShadowRay 2.0 exploits a critical vulnerability in the Ray open-source AI framework, allowing attackers to turn compromised NVIDIA GPU clusters into a self-replicating cryptocurrency mining botnet. This attack utilizes a two-year-old flaw linked to a missing authentication bug with a CVSS score of 9.8, enabling unauthorized control of susceptible instances for illicit mining activities using XMRig. The campaign leverages malicious job submissions to an unauthenticated Ray Job Submission API, allowing the worm-like botnet to spread autonomously across exposed Ray clusters. Researchers identified over 230,500 publicly accessible Ray servers, exposing a lucrative attack surface for hackers. The attackers have shown resilience by creating new GitHub accounts to distribute their malware even after previous takedown efforts. They also utilize tactics to avoid detection by disguising their malicious processes as legitimate kernel services and limiting CPU usage, thereby maximizing mining gains while remaining under the radar.

Meanwhile, the Tsundere botnet is expanding its operations by targeting Windows users and executing arbitrary JavaScript code retrieved from an Ethereum-based command-and-control server. Active since mid-2025, Tsundere has utilized game-related lures to propagate its malware. Researchers from Kaspersky noted that the botnet can install itself through a compromised Remote Monitoring and Management tool, using disguised MSI installer files that are attractive to users seeking pirated games. The malware prepares the environment by installing Node.js and uses legitimate libraries to ensure persistence on the system, enabling the bot to remain active and operational. The Tsundere botnet's C2 infrastructure is cleverly integrated with the Ethereum blockchain, allowing for easy rotation of server addresses through smart contracts. This innovative approach not only enhances the botnet's resilience but also suggests that the threat actors are leveraging cryptocurrency technologies for their operations. Kaspersky highlighted the bot's capability to adapt dynamically, providing flexibility in executing a wide range of tasks based on commands received from the C2 server.

Both ShadowRay and Tsundere exemplify how cybercriminals are increasingly exploiting vulnerabilities tied to cryptocurrency mining. The emerging threat landscape underscores the urgent need for enhanced security measures within the crypto sector to protect users and networks from these sophisticated attacks. As these botnets evolve, cybersecurity professionals are calling for stricter protocols and monitoring to prevent unauthorized access and mitigate the risks associated with cryptocurrency mining exploits.