VYPR
researchPublished Jul 17, 2026· 1 source

NadMesh Botnet Exploits Exposed AI Services for Cloud Credentials

A new Go-based botnet named NadMesh is actively scanning the internet for and exploiting publicly accessible AI services to steal cloud API keys and Kubernetes tokens.

A burgeoning Go botnet, identified as NadMesh, has emerged in early July, specifically targeting exposed AI services such as ComfyUI, Ollama, and Gradio. The botnet's primary objective is to harvest sensitive cloud API keys and Kubernetes tokens, with its operator's dashboard boasting the capture of over 3,800 AWS keys. This operation highlights a growing trend of attackers exploiting the common practice of rapidly deploying AI tools without adequate security measures.

NadMesh employs a Shodan harvester to continuously populate its scan queue with vulnerable AI platforms. These include popular tools for image generation, local model execution, and workflow management, which are often set up quickly and secured later. The botnet's intelligence feed reveals a significant number of credential hauls and model inventories, suggesting its reach extends beyond the compromised host to cloud-based resources.

Researchers at QiAnXin's XLab published a report detailing NadMesh, attributing its name to a "n4d mesh controller" string found in its source code. The report includes screenshots of the operator's dashboard, which displays conflicting figures regarding the number of deployed bots and captured credentials, indicating potential inconsistencies or misrepresentations by the operator. Despite these discrepancies, the core functionality of credential theft remains evident.

The malware's payload focuses on extracting cloud credentials from environment variables, Kubernetes service account tokens, and configuration files like ~/.aws/config, .env, and ~/.docker/config.json. The researchers emphasize that the operator's main interest lies not in the host itself, but in the cloud credentials and Kubernetes privileges associated with it, along with access to AI models and callable tools.

NadMesh prioritizes exploiting Model Context Protocol (MCP) tools above other targets like Kubernetes, Docker API, and Redis. While no specific CVE is attached to the MCP exploitation vector, the report notes that MCP's authorization flow, added in March 2025, is still optional in many deployments. This leaves numerous MCP services vulnerable to exploitation, with some actively advertising tools capable of executing commands.

While the botnet's intake and loot are AI-centric, observed exploit traffic also shows significant activity targeting Docker sockets and Jenkins consoles. The scanning mechanism is highly adaptive, with subnets yielding hits being resampled more densely, and IPs flagged as dangerous being rescanned frequently. Targets that fail to respond after multiple attempts are automatically blacklisted as potential honeypots, suggesting a sophisticated and evolving operational methodology.

Removal of the NadMesh agent is designed to be difficult, with persistence mechanisms implemented across multiple layers. Each build is obfuscated using Garble and packed with UPX, ensuring that no two agents share the same hash, making detection and removal challenging. The operator's success metrics, notably excluding the harvesting of Ollama and AWS credentials, further complicate the understanding of the botnet's ultimate goals.

Security recommendations for mitigating NadMesh involve securing exposed services by implementing authentication or removing them from public access. This includes focusing on ports commonly used by AI tools like ComfyUI, Ollama, Gradio, and n8n. Additionally, organizations should be vigilant for indicators of compromise, such as unauthorized SSH keys or suspicious files in temporary directories, and immediately revoke any compromised credentials.

Synthesized by Vypr AI