Security researchers have uncovered a Go based botnet named NadMesh that is actively targeting exposed artificial intelligence services to steal cloud credentials, Kubernetes tokens, and other sensitive configuration data from compromised systems. The malware was identified by QiAnXin XLab in early July after researchers observed a sharp increase in activity targeting AI platforms and cloud environments. According to the published findings, NadMesh scans for internet exposed services including ComfyUI, Ollama, n8n, Open WebUI, Langflow, and Gradio, which are commonly deployed to support AI model execution, workflow automation, and application development. Researchers stated that the botnet focuses on extracting valuable credentials rather than compromising the host itself, allowing attackers to gain access to cloud infrastructure, Kubernetes clusters, and associated services through stolen authentication data.
According to the report, the operator’s control panel claimed to have collected 3,811 unique AWS credentials while tracking approximately 17,700 deployments, although researchers noted inconsistencies between several dashboard statistics. XLab observed a significant rise in NadMesh activity during the first week of July, with monitored source IP addresses increasing rapidly after showing little activity throughout late June. Once a system is compromised, the malware searches for cloud credentials stored in environment variables, Kubernetes service account tokens, AWS configuration files, Docker configuration files, and application environment files. Researchers also observed the malware collecting information related to AI models, including identifiers associated with DeepSeek, GLM, and Kimi cloud deployments. The report noted that NadMesh gives high priority to Model Context Protocol services, commonly known as MCP, followed by Kubernetes, Docker API, and Redis targets. Researchers identified JSON RPC requests using execute command functionality as one of the exploitation methods against exposed MCP deployments. Although no specific vulnerability has been assigned to this technique, the report notes that authentication within the original MCP specification remained optional, leaving many publicly accessible deployments exposed. Previous internet scans cited in the report found thousands of reachable MCP services, with dozens exposing command execution functionality through execute command tools.
Despite its focus on AI infrastructure, researchers found that a large portion of NadMesh exploitation attempts still target traditional administrative services. According to XLab telemetry, Docker API remote code execution represented more than 30 percent of observed attacks, while Jenkins Script Console exploitation accounted for over 22 percent. Additional activity targeted weak Telnet credentials, unauthenticated Redis instances, SSH services, and exposed management interfaces. The botnet continuously expands its scanning operations by automatically revisiting networks where previous compromises were identified and rescanning high priority AI related ports every few minutes. Systems that repeatedly reject deployment attempts are automatically added to a blacklist to avoid suspected research environments or honeypots. Researchers also noted that NadMesh uses multiple persistence mechanisms simultaneously, allowing the malware to reinstall itself if only one persistence method is removed. Every malware build is additionally protected using code obfuscation, executable packing, and randomized binary padding, making traditional hash based detection significantly less effective because each compiled sample appears unique.
Researchers recommend that organizations secure exposed administrative services instead of relying solely on software patches. Internet accessible Docker API instances, Jenkins Script Console deployments, Redis servers, Telnet services, and AI platforms should be protected through authentication or removed from direct public access. Particular attention should be given to commonly targeted AI service ports associated with ComfyUI, Ollama, Gradio, and n8n. The report also advises administrators to install security updates for recently disclosed vulnerabilities, including CVE 2026 39987 affecting Marimo notebooks before version 0.23.0 and CVE 2026 41176 affecting vulnerable rclone RC servers configured without HTTP authentication. If indicators of compromise are discovered, including unauthorized SSH keys, suspicious scheduled tasks, or malicious files placed in temporary directories, organizations should immediately isolate affected systems and revoke all exposed credentials, including AWS access keys, Kubernetes service account tokens, application secrets, and container registry credentials before restoring services. Researchers also identified command and control infrastructure associated with the campaign and noted that NadMesh reflects a growing trend in which attackers increasingly target cloud credentials and AI infrastructure instead of focusing only on computing resources.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.