By rssfeeds-admin 
The campaign shows how exposed AI tooling can be repurposed as a remote execution platform and data theft channel when left unauthenticated on the public internet.
Initial access and abuse of OpenWebUI
Sysdig’s Threat Research Team analyzed an incident where a customer’s OpenWebUI training system was accidentally exposed to the internet with admin privileges and no authentication, allowing unauthenticated remote command execution.
The attacker leveraged OpenWebUI Tools, which support user-uploaded Python scripts to extend LLM functionality, to upload a malicious script and execute it as a Tool without ever touching the normal UI flow.
Shodan shows more than 17,000 OpenWebUI instances reachable online, raising concerns that similar misconfigurations could be widespread, even if the exact number of vulnerable deployments remains unknown.
Once the rogue Tool was registered, its Python payload executed under the trusted OpenWebUI context, effectively turning the AI interface into a general-purpose malware launcher.
The uploaded Python Tool was heavily obfuscated using a “pyklump” technique, combining reversed Base64 and zlib compression across 64 nested layers to resist static inspection.
Sysdig analysts used a custom decoder to peel back these layers, revealing a main script that orchestrated cryptomining, persistence, Discord-based C2, and cross-platform logic for both Linux and Windows.
Code structure, formatting, and cross-platform branches strongly matched LLM-style output, and a code detector rated it 85–90% likely to be AI-generated or heavily AI-assisted, even though some sections were clearly hand-written.
The script used a Discord webhook to exfiltrate host metadata such as public IP, GPU information, OS platform, current user, and the status of stealth modules, effectively turning a chat channel into a lightweight C2 dashboard.
Linux: cryptomining and stealth
On Linux, the payload first copied itself into the victim’s hidden .config directory and then created a systemd service named “ptorch_updater” to ensure persistence and blend in with AI tooling.
It then downloaded T-Rex and XMRig via gh-proxy, configured them to mine Ravencoin and Monero using known pools, and wired the miners to attacker-controlled wallet addresses that had already accumulated roughly 700 dollars’ worth of funds.
To hide mining activity, the script compiled two inline C programs at runtime into shared objects and injected them via LD_PRELOAD: processhider, which filters the miner’s process name out of directory listings, and argvhider, which hooks glibc’s startup path to erase command-line arguments from /proc while preserving them in process memory.
These components make standard process and cmdline-based detection far less effective, although YARA-based detections and runtime inspection of LD_PRELOAD activity can still flag them.
The Windows branch reused the same Python controller but pivoted into a Java-based loader chain, first downloading Microsoft’s JDK and a malicious JAR (application-ref.jar) from 185.208.159[.]155.
Sysdig reports that runtime monitoring caught the attack through several layers: YARA matches on the stealth libraries, detection of LD_PRELOAD-based library injection, suspicious Stratum mining traffic, code compilation inside containers, and DNS lookups for known miner and C2 infrastructure.
Key indicators include the malicious downloader IP 185.208.159[.]155, the Discord webhook URL, T-Rex and XMRig download links, Ravencoin and Monero wallet addresses, and file hashes for application-ref.jar, INT_D.DAT, INT_J.DAT, and app_bound_decryptor.dll.
To reduce exposure, organizations should ensure OpenWebUI and similar AI interfaces are never internet-facing without strong authentication, restrict Tool upload capabilities, and monitor for abnormal tool registrations or script executions.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
The post Hackers Exploit OpenWebUI Servers to Deploy AI-Powered Payloads appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.