Skip to main content
Emerging ThreatsMalware & Ransomware

NadMesh Botnet Targets Exposed AI Services for Cloud Credentials

Dimly lit server room with rows of racked servers and networking gear.

“Not the host itself, but the cloud credentials, Kubernetes cluster privileges” — that is how QiAnXin's XLab summarized what the NadMesh operator is after, and the botnet's own dashboard claims 3,811 unique AWS keys in its tally.

NadMesh operator dashboard and observable discrepancy

XLab captured screenshots of a control panel the researchers named NadMesh (from an "n4d mesh controller" string in the malware). The operator-facing panel shows competing metrics: a counter reading 17,700 total deploys above a funnel claiming 95,700 deploys in the past 24 hours; tiles advertising 16 active bots and 12 active bots side-by-side; and an operator-stated credential count repeated at 3,811 unique AWS keys. XLab's external sensors do not match the operator numbers. Distinct source IPs running NadMesh were near zero through late June, then climbed in the first week of July to about 139 per day.

What NadMesh hunts: AI endpoints, cloud keys, and Kubernetes tokens

The botnet's Shodan-driven scan queue prioritizes a set of AI and workflow services: ComfyUI, Ollama, n8n, Open WebUI, Langflow, and Gradio. In XLab's review of the botnet's last 100 intel records, 47 were credential hauls and 41 were model inventories; the inventories carried DeepSeek, GLM, and Kimi identifiers tagged :cloud, a signal the catalogued assets reach beyond a single host. XLab's summary quote — that the operator is after cloud credentials and Kubernetes privileges — underscores that NadMesh seeks the keys and tokens that grant lateral and cloud access, not merely compute or GPU cycles.

Exploit mix and the role of MCP, Docker, and Jenkins

XLab charted observed exploit traffic and found most attempts targeted Docker sockets and Jenkins consoles: docker_containers_api_rce accounted for 30.31% of observed exploit traffic and jenkins_scripttext_rce 22.28%. Telnet weak-password attempts made up 10.36% and Redis 8.29%. MCP command execution (mcp_cmd_execute) appears in XLab's traffic but sits in the small, unlabeled tail at roughly 0.78% of observed attempts.

The NadMesh controller itself ranks MCP at the top of its exploitation priority list, above Kubernetes, Docker API, and Redis, with an associated vector recorded as a JSON-RPC tools/call to execute_command. XLab did not attach a CVE to that vector in its telemetry.

MCP exposure, Censys counts, and the changing payoff

MCP's specification history matters to this campaign. Censys counted 12,520 reachable MCP services across 8,758 IP addresses as of April 28, more than 21,000 by May 6, and about 90 advertising a tool that runs commands; on 39 of those, the tool was named execute_command — the exact call NadMesh lists. Censys concluded its MCP census on May 27 with a grim possibility: hosts exposed in that way would likely end up "part of some future botnet or abuse infrastructure." XLab's NadMesh publication seven weeks later shows that prediction being realized in practice, with the botnet shifting its payoff from mining GPUs (as a different operator did in April) to harvesting cloud credentials and callable model control tools.

Persistence, delivery, and the botnet's hygiene

Removal is engineered to be difficult. XLab reports the agent persists via three separate mechanisms so removing one component leaves others able to restore it. Every build is obfuscated and packed — Garble obfuscation, UPX -9, and random padding — so no two agents share a stable hash; the published sample hash will catch one build and miss the rest. Five build versions run concurrently: eleven bots on 33.8-GO-TITAN, others on 30.0. A canary endpoint staged new builds and returned 5,448 responses and 84,024 null replies, while a funnel tracks tasks through deploys to live hosts.

Scanning logic is systematic: subnets that produce hits are resampled every five minutes; IPs flagged dangerous in the last 24 hours are rescanned every 15 minutes as /32 checks with AI ports prioritized; a full sweep promotes everything marked dangerous in the last seven days to the top. Targets that absorb ten deployment attempts without returning a result are auto-blacklisted as suspected honeypots. If the queue runs dry, the bots simply generate a random /24 and keep scanning.

What this means for security teams, cloud operators, and regulators

  • Security teams and DevOps: XLab's actionable indicators include the C2 IP 209.99.186[.]235, the domain cdnorigin[.]net, and a sample agent SHA1 31c69b3e12936abca770d430066f379ec1d997ec. XLab advises checking common drop paths (/dev/shm/.a, /var/tmp/.a, /tmp/.a), ~/.ssh/authorized_keys and cron entries (/etc/cron.d/.sys_monitor, /etc/cron.d/.s), and revoking credentials (AWS keys, cluster tokens, .env values, registry logins) only after removing persistence so new keys are not immediately captured.
  • Cloud operators and application owners: The report highlights exposed management APIs and local model runners — ComfyUI, Ollama, Gradio, n8n — and names ports the rescan job checks first: 8188, 11434, 7860, and 5678. XLab's guidance is to put these behind authentication or remove them from the public Internet.
  • Policymakers and vulnerability coordinators: XLab's exploit chart includes recent CVEs such as CVE-2026-39987 (pre-auth RCE in Marimo notebooks, added to CISA KEV in April) and CVE-2026-41176 (unauthenticated flip of rc.NoAuth on rclone RC servers started without HTTP auth). Older entries like CVE-2022-22947 and CVE-2017-12611 appear in the mix but require specific, enabled conditions to be exploitable.

XLab's record is stark: NadMesh is not a small prank seeking GPU time — it is a measured harvest of credentials and callable model tools. The operator's own scoreboard even omits counts for some of the very assets the bots are retrieving, while external sensors show a rapid uptick in activity in early July. The practical question the data leaves is concrete: how many of the thousands of reachable MCP and AI service endpoints remain callable without authentication, and who will inventory and harden them before more credentials are lost?

https://thehackernews.com/2026/07/new-nadmesh-botnet-hunts-exposed-ai.html