From AI Workstation to Proxy Exit Node: GHOST Campaign Targets Japan's Unauthenticated ComfyUI Deployments

Md. Azim Uddn - Unit Zero, Pipeline Threat Intelligence Team

Executive Summary

• Unit Zero Threat Intelligence has been tracking an active campaign, now formally disclosed by Censys ARC on April 7, 2026, that systematically targets internet-exposed ComfyUI servers globally, including 21 confirmed instances identified in Japan.

• Threat actors are converting GPU-rich AI image generation infrastructure into dual-purpose criminal assets: Monero and Conflux cryptocurrency mining rigs and Hysteria v2 proxy botnet exit nodes available for resale.

• Japan's AI adoption has accelerated significantly recently. ComfyUI was deployed widely across creative studios, research labs, and individual practitioners, many of whom operate their instances without authentication.
  

  This blog provides a Japan-specific threat assessment, technical breakdown, and actionable remediation guidance for defenders operating in the Japanese ecosystem.
  

Threat Summary

Using Censys internet-wide scan data, Unit Zero identified 21 publicly accessible ComfyUI instances with Japanese IP address attribution. While this figure may appear to be a small number against a global pool of 1,000+ exposed instances, context is critical for Japan-region defenders.

Why Japan Instances Are High-Value Targets

• Japanese AI practitioners frequently deploy ComfyUI on high-end NVIDIA GPU servers (A100, H100, RTX 4090 class hardware), precisely the hardware that generates the highest crypto-mining hashrates.

•  Japan's culture of adopting AI in enterprises often favors ease of access over security hardening, particularly in creative industry deployments. Unauthenticated public-facing ports are common in small studio and research environments.

• The GHOST scanner's curated IP range lists actively target cloud deployments in the AWS Tokyo (ap-northeast-1), GCP asia-northeast1, and Oracle Cloud Japan regions.

• A compromised Japanese cloud GPU instance can generate significantly more Monero per unit time than a standard CPU server, making Japan's AI infrastructure disproportionately attractive.

• Proxy exit nodes in Japan have premium resale value on underground markets, given Japan's high-bandwidth infrastructure and reputational 'clean' IP space that bypasses many geo-blocks.

Of the 21 Japanese instances identified, a subset are likely to have ComfyUI-Manager installed (enabling the scanner's silent malicious package installation pathway), and at least some are expected to run custom nodes that include dangerous execution-capable components such as FL_CodeNode or SrlEval. Unit Zero strongly recommends all operators of these 21 instances treat themselves as potentially compromised until a full forensic review is completed.

Attack Chain: Step by Step

C2 Infrastructure & Dual Monetization Model

The campaign's operational sophistication is most evident in its centrally managed command-and-control infrastructure. A Flask-based C2 dashboard running on port 3301 assigns each compromised host a unique identifier derived from the hostname (format: vm<hex>) and logs real-time CPU and GPU hashrates, mining pool, accepted shares, hardware inventory, and OS details into an embedded SQLite database.

The Hysteria v2 proxy fleet is also run by the same C2 panel. Each compromised node registers its Hysteria URI with the C2, enabling the operator to bulk-export a list of functional proxy exit nodes, suggesting a secondary business of selling residential-quality proxy access using Japanese and other high-value IP ranges. The dual mining and proxy components share the same C2 credentials and URL, indicating a single operator managing both revenue streams.

Indicators of Compromise (IOCs)

Detection Guidance for Japan Operators

Remediation & Hardening Recommendations

Immediate Actions (If You Operate ComfyUI)

1. STOP EXPOSING COMFYUI DIRECTLY TO THE INTERNET. Place it behind a VPN or authenticated reverse proxy (nginx + HTTP Basic Auth + TLS minimum; Cloudflare Access is preferred). This single action eliminates the entire attack surface.

2. Please conduct an immediate audit of your custom_nodes/ Remove any package you did not explicitly install—especially ComfyUI-Shell-Executor and any "GPU Performance Monitor" node.

3. Review user data/workflows for any startup workflows you did not create. The poisoned default workflow executes the exploit on every restart.

4. Examine for LD_PRELOAD entries in /etc/ld.so.preload and /etc/environment. An unexpected library here is a definitive rootkit indicator.

5. Scan for locked files: lsattr -R /var/tmp/ ~/.cache/ — unexpected 'i' (immutable) flags indicate GHOST malware artifacts.

6. Kill and remove any process with a kernel-like name containing a hex suffix (e.g., kworker[0:1-a3f1]).

7. Please rotate all credentials associated with the ComfyUI server. SSH keys, cloud API keys, and any secrets in environment variables should be considered compromised.

8. If ComfyUI's process user has granted root access, assume full system compromise and perform a clean rebuild from a verified image.

Hardening Checklist (Preventive)

• Never expose ComfyUI on 0.0.0.0 without authentication; bind to 127.0.0.1 and use a reverse proxy with authentication.

• Disable or restrict ComfyUI-Manager's remote install capability in production environments.

• Remove or sandbox dangerous custom nodes that accept raw Python execution (FL_CodeNode, SrlEval, similar).

• Run ComfyUI as a dedicated non-root service user with minimal filesystem permissions.

• Deploy network-level monitoring: alert on unexpected outbound traffic to port 3333/TCP (mining) or unusual Kryptex/XMRig process names.

• Perform periodic self-scans using the query above to verify your ComfyUI instances are not publicly reachable.

• If you are using AWS, GCP, or Oracle Cloud in Japan, review the Security Groups and VPC firewall rules to ensure that port 8188 is NOT permitted from 0.0.0.0/0.

Analyst Commentary from Unit Zero Perspective

This campaign represents a meaningful evolution in the targeting of AI infrastructure. Historically, cryptomining botnets focused on poorly secured web servers, exposed Docker APIs, or misconfigured cloud storage. The shift to GPU-accelerated AI platforms reflects a mature understanding of where high-value compute has migrated in 2025–2026.

Japan's position in the threat landscape here is nuanced. The country's rapid enterprise AI deployment, particularly in creative industries and R&D environments, has produced a class of exposed infrastructure that operators do not conceptually treat as 'servers' in the traditional security sense. ComfyUI is often perceived as a 'creative tool,' not a production service requiring hardening. This cognitive gap is the real vulnerability being exploited.

The dual-revenue model (mining + proxy resale) demonstrates increasingly sophisticated operational planning. Proxy exit nodes with Japanese IP addresses command a premium in underground markets; Japanese IP ranges are frequently needed by actors targeting services that geo-block by country, including Japanese government portals, financial institutions, and regional streaming services. An operator who can bulk-sell Japanese IP access is building a persistent monetization stream that outlasts the mining operation.

Censys's assessment that the tooling 'appears hastily assembled' should not reduce threat priority. The effectiveness of the campaign does not rely on sophistication; it relies on an enormous pool of misconfigured targets doing nothing to prevent it. With 21 exposed Japanese instances currently visible, and given that ComfyUI's user community is growing rapidly in Japan, this attack surface will expand unless the community receives clear, accessible hardening guidance.

MITRE ATT&CK Mapping

Reference

• Censys ARC — Mark Ellzey. "ComfyUI Servers Being Turned into Cryptomining Proxy Botnet." April 7, 2026.

• The Hacker News. "Over 1,000 Exposed ComfyUI Instances Targeted in Cryptomining Botnet Campaign." April 7, 2026.

• GBHackers. "ComfyUI Servers Hijacked for Cryptomining, Proxy Botnet Ops." April 8, 2026.

• Snyk Security. "ComfyUI Custom Node RCE Research." December 2024.

• Pulsedive Threat Intelligence. "Botnet Activity Report H1/H2 2025."

• MITRE ATT&CK Framework v15. https://attack.mitre.org

Summary: Recommended Measures and Immediate Actions

A key feature of this GHOST campaign is that it targets AI environments directly, rather than traditional “servers.” In Japan in particular, many systems are publicly exposed online in the name of convenience, making them highly attractive to attackers as “high-performance yet unprotected assets.”

Therefore, rather than implementing individual countermeasures, it is crucial to re-evaluate your operational assumptions.

What PIPELINE Inc. Can Do

In cases like this, it is not just about one-off countermeasures;

a mechanism for continuous “visibility” is essential.

PIPELINE Inc. can provide the following support:

① Visualization of Externally Exposed Assets

Continuously monitor how your company’s domains and IP addresses appear from the internet

Early detection of unintended exposure (including ComfyUI)

② Risk-Based Prioritization

Identify “high-risk assets” such as GPU servers and cloud environments

Clarify where to start

③ Continuous Monitoring and Alerts

Regularly check for suspicious port exposures, network traffic, and configuration changes

Support detection at the pre-incident stage

④ Designing countermeasures tailored to actual operations

Security design based on the premise of a “configuration that is easy to use in the field”

Improvement proposals that balance convenience and security

Finally

AI environments are often introduced as “tools,” but

the moment they are exposed to the outside world, they become assets that carry exactly the same risks as servers.

The recent GHOST campaign is a prime example of an attack that exploited this gap in awareness.

First,please start by checking how your company’s AI environment appears from the outside.