A shadowy new botnet named IronErn440 is exploiting a known unfixed vulnerability to hijack Ray clusters and repurpose them as cryptocurrency miners. This security threat targets the open-source framework used for scaling AI and Python workloads. The issue was reported by TechRadar on November 19, 2025.
Cybersecurity researchers have uncovered a new botnet operation targeting Ray clusters, an open-source distributed computing framework popular for AI and machine learning applications. The botnet, dubbed IronErn440, leverages a known but unfixed flaw to gain unauthorized access to these clusters and transform them into a network for cryptocurrency mining.
According to TechRadar, IronErn440 operates stealthily, hijacking resources without immediate detection by users. This exploitation allows the attackers to mine cryptocurrencies using the computational power of compromised Ray setups, potentially leading to significant performance degradation and increased costs for affected organizations.
The vulnerability in question remains unpatched, highlighting ongoing risks in open-source software ecosystems. No specific details on the exact flaw or the scale of infections were provided in the report, but the incident underscores the need for prompt security updates in distributed computing environments.
As of the publication date, November 19, 2025, experts urge Ray users to monitor their clusters and apply any available mitigations to prevent hijacking.