AI Turns On Itself As Hackers Build Self Replicating Botnet From Exposed AI Servers

Hackers are turning artificial intelligence against itself, using large language models to write attack code that compromises AI infrastructure and then hijacking those systems to hunt for more victims, according to new research.

Security firm Oligo Security, based in Israel, says it has uncovered a large scale campaign abusing Ray, an open source framework widely used to manage and scale AI workloads. The operation uses compromised Ray servers to form a self propagating botnet that mines cryptocurrency, launches distributed denial of service attacks and can access sensitive corporate AI models and source code.

Researchers have dubbed the campaign ShadowRay 2.0, an evolution of attacks they first observed last year.

AI writing attack code for AI targets

At the heart of the report is a claim that attackers are leaning on commercial large language models to generate parts of their malicious code.

Oligo AI security researcher Avi Lumelsky said the team is highly confident that tools like OpenAI’s ChatGPT and Anthropic’s Claude were used to help craft scripts that run on hacked servers, although he could not identify a specific model. He pointed to repeated, unnecessary comments and strings inside the malware as telltale signs of LLM generated code.

Those scripts instruct compromised Ray servers to mine cryptocurrency and to automatically scan the internet for additional exposed Ray instances. That ability to discover and infect new targets without manual intervention effectively turns the network into a self replicating botnet made up of AI infrastructure.

“AI infrastructure can be hijacked to attack itself,” Oligo cofounder and chief technology officer Gal Elbaz warned in the report, describing ShadowRay 2.0 as a shift from simple AI assisted attacks to AI coordinated campaigns.

Hundreds of thousands of servers at risk

Ray is developed by a company called AnyScale and is used to distribute and manage compute tasks for AI projects. Although AnyScale has long advised customers not to expose Ray servers directly to the internet, Oligo says it was still able to locate more than 230,000 Ray instances reachable online.

That leaves a huge potential attack surface, particularly for organisations that are using Ray to train or deploy proprietary AI models.

In one case, Oligo found a single company inadvertently exposing around 240 gigabytes of material, including source code and internal models. Lumelsky said that effectively meant the organisation’s entire research and development environment was accessible from the public internet once the server was compromised.

Beyond cryptomining and scanning for new victims, the botnet was also used to launch distributed denial of service attacks against multiple websites, the researchers said.

There are signs that more than one criminal group is trying to exploit the same weakness. Oligo found scripts designed to detect and remove rival cryptominers from infected machines, indicating competing attackers battling for control of vulnerable servers.

AnyScale did not comment before publication. After the first ShadowRay report last year, the company disputed that the flaw was exploitable when customers followed its configuration guidance and stressed that Ray should not be exposed directly. It has since published detailed instructions and released a tool to help users check whether their deployments are at risk.

A new phase of AI versus AI

The ShadowRay findings come amid growing concern over how offensive use of AI is evolving.

Anthropic recently disclosed that state linked researchers in China had succeeded in jailbreaking its Claude model to help draft malware and other cyber tools. In parallel, US government documents have revealed that the Pentagon has invested millions of dollars in startups building AI agents for automated cyber operations.

Elbaz argues that those developments, combined with ShadowRay 2.0, show a progression in how AI is being woven into attacks. First, adversaries manipulated chatbots into assisting with individual steps, an AI manipulated attack. Now, he says, hackers are compromising the AI infrastructure itself and using it as a platform for automated, global campaigns.

The trend also highlights how fragile highly concentrated AI and cloud ecosystems can be. As more companies standardise on the same frameworks, tools and cloud providers, a single misconfiguration or overlooked exposure can give attackers a gateway into hundreds or thousands of environments at once.

Call for better AI security hygiene

While the idea of AI systems turned into an army of self propagating attackers sounds like science fiction, the underlying causes remain familiar. Servers left exposed to the internet, default or weak configurations and delayed patching still sit at the root of many breaches.

Security experts say the ShadowRay case underlines the need for organisations building AI workloads to apply basic hygiene with extra care. That includes restricting management interfaces to internal networks or VPNs, regularly scanning for exposed instances, locking down access to model artefacts and source code, and monitoring for unusual compute usage or outbound connections that could indicate cryptomining or botnet activity.

As more businesses rush to adopt AI and stand up new infrastructure, Oligo’s research is a reminder that the same technology transforming products and services is also reshaping the threat landscape. The machines helping to build the next generation of AI can, if left unprotected, be quietly recruited into attacks on that very future.