Live Active security incident? Get immediate response
MITRE ATT&CK® Campaign

C0045: ShadowRay

ShadowRay was a campaign that began in late 2023 targeting the education, cryptocurrency, biopharma, and other sectors through a vulnerability (CVE-2023-48022) in the Ray AI framework named ShadowRay. According to security researchers ShadowRay was the first known instance of AI workloads being activley exploited in the wild through vulnerabilities in AI infrastructure. CVE-2023-48022, which allows access to compute resources and sensitive data for exposed instances, remains unpatched and has been disputed by the vendor as they maintain that Ray is not intended for use outside of a strictly controlled network environment.[1]

EnterpriseC0045CampaignObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

ShadowRay matters because it ties AI infrastructure exposure to ordinary enterprise intrusion outcomes: access to compute resources, sensitive data, credentials, persistence, tool transfer, and compute hijacking. For leaders, the key issue is not only the named CVE, but whether AI/ML services such as Ray are treated as production attack surface with network controls, asset ownership, logging, and incident response playbooks.

Executive priority

Prioritize an inventory and exposure review for Ray AI framework deployments and other AI workload infrastructure, especially where systems may be reachable outside a strictly controlled network. The ATT&CK entry notes CVE-2023-48022 remains unpatched and is vendor-disputed, so risk decisions should focus on compensating controls, segmentation, access governance, monitoring, and documented acceptance of residual risk. This campaign is relevant to business continuity because related behavior includes compute hijacking, credential access, privilege escalation, and persistence, all of which can affect availability, cost, data protection, and audit evidence.

Technical view

SOC, IR, cloud, and platform teams should validate whether Ray instances exist, where they are exposed, and whether telemetry covers the related ATT&CK behaviors: exploitation of public-facing applications, Python execution, network configuration discovery, tool ingress, encoded or encrypted files, privilege escalation, Unix shell configuration modification, access to /etc/passwd or /etc/shadow, and compute hijacking. Because the campaign object provides no official detection text and no campaign-level platform field, detection engineering should be driven by local Ray deployment architecture and the related technique context rather than assuming a single universal analytic.

Likely telemetry

  • Internet-facing asset inventory and vulnerability/exposure management records for Ray AI framework instances and AI workload infrastructure
  • Network flow, firewall, proxy, and load balancer logs showing external access to AI services
  • Host process execution logs, especially Python interpreter activity and command-line context
  • Linux authentication, sudo, file access, and shell history or audit logs where available
  • File integrity or endpoint telemetry for Unix shell configuration files and sensitive account files such as /etc/passwd and /etc/shadow

Detection direction

  • Start with exposure-based detection: identify Ray services reachable from untrusted networks and correlate access with process execution, file transfer, and resource usage anomalies.
  • Tune for related behaviors rather than only CVE strings: Python execution from service contexts, access to credential stores, shell profile modification, and unexpected network discovery commands can be more durable indicators.
  • Treat compute hijacking as both a security and operations signal: unusual CPU/GPU utilization, new long-running jobs, and unexplained cloud cost changes should be triaged with security context.
  • Account for false positives in research, education, biopharma, cryptocurrency, and AI engineering environments where Python, high compute usage, and frequent tool downloads may be normal; require baselines by workload and owner.
  • Because no official ATT&CK detection guidance is supplied, validate detections through local logs, controlled testing, and incident review rather than assuming ATT&CK coverage equals operational visibility.

Mitigation priorities

  • Inventory Ray AI framework deployments and confirm owners, business purpose, network exposure, and data sensitivity.
  • Restrict AI workload services to controlled networks and authorized identities; do not rely on an unpatched or disputed vulnerability being resolved by patching alone.
  • Apply compensating controls: segmentation, least privilege, strong authentication paths, egress control, and monitoring around AI compute environments.
  • Harden Linux and cloud hosts supporting AI workloads by limiting service privileges, monitoring sensitive file access, and controlling shell startup file changes.
  • Prepare IR playbooks for exposed AI infrastructure that include credential review, compute abuse investigation, tool-transfer scoping, and cost/availability impact assessment.
Analyst notes and limits

The supplied ATT&CK campaign description states ShadowRay began in late 2023 and targeted education, cryptocurrency, biopharma, and other sectors through CVE-2023-48022 in the Ray AI framework. Relationship context links the campaign to initial access, execution, discovery, credential access, privilege escalation, persistence, command and control, resource development, defense evasion, and impact techniques. This makes the object most useful as a validation prompt for AI infrastructure governance and monitoring rather than as a complete detection package.

ATT&CK provides no official detection text, no campaign-level platforms, and only one external research reference in the supplied data. Local asset inventory, Ray architecture, network exposure, identity model, and telemetry quality are required to determine actual risk and coverage. The vendor dispute and unpatched status should be handled as risk-management context, not as proof that every deployment is exploitable or exposed.

Official MITRE ATT&CK definition

ShadowRay

ShadowRay was a campaign that began in late 2023 targeting the education, cryptocurrency, biopharma, and other sectors through a vulnerability (CVE-2023-48022) in the Ray AI framework named ShadowRay. According to security researchers ShadowRay was the first known instance of AI workloads being activley exploited in the wild through vulnerabilities in AI infrastructure. CVE-2023-48022, which allows access to compute resources and sensitive data for exposed instances, remains unpatched and has been disputed by the vendor as they maintain that Ray is not intended for use outside of a strictly controlled network environment.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

10 rows
Domain ID Name Relationship / procedure
Enterprise T1190 Exploit Public-Facing Application

During ShadowRay, threat actors exploited CVE-2023-48022 on publicly exposed Ray servers to steal computing power and to expose sensitive data.CitationOligo ShadowRay Campaign MAR 2024
Enterprise T1027.013 Encrypted/Encoded File Sub-technique

During ShadowRay, threat actors used Base64-encrypted Python code to evade detection.CitationOligo ShadowRay Campaign MAR 2024
Enterprise T1003.008 /etc/passwd and /etc/shadow Sub-technique

During ShadowRay, threat actors used `cat /etc/shadow` to steal password hashes.CitationOligo ShadowRay Campaign MAR 2024
Enterprise T1546.004 Unix Shell Configuration Modification Sub-technique

During ShadowRay, threat actors executed commands on interactive and reverse shells.CitationOligo ShadowRay Campaign MAR 2024
Enterprise T1588.002 Tool Sub-technique

During ShadowRay, threat actors used tools including the XMRig miner and Interactsh.CitationOligo ShadowRay Campaign MAR 2024
Enterprise T1105 Ingress Tool Transfer

During ShadowRay, threat actors downloaded and executed the XMRig miner on targeted hosts.CitationOligo ShadowRay Campaign MAR 2024
Enterprise T1059.006 Python Sub-technique

During ShadowRay, threat actors used the Python `pty` module to open reverse shells.CitationOligo ShadowRay Campaign MAR 2024
Enterprise T1016 System Network Configuration Discovery

During ShadowRay, threat actors invoked DNS queries from targeted machines to identify their IP addresses.CitationOligo ShadowRay Campaign MAR 2024
Enterprise T1068 Exploitation for Privilege Escalation

During ShadowRay, threat actors downloaded a privilege escalation payload to gain root access.CitationOligo ShadowRay Campaign MAR 2024
Enterprise T1496.001 Compute Hijacking Sub-technique

During ShadowRay, threat actors leveraged graphics processing units (GPU) on compromised nodes for cryptocurrency mining.CitationOligo ShadowRay Campaign MAR 2024
Relationship explorer

All related ATT&CK context

uses · Technique T1190: Exploit Public-Facing Application Enterprise uses · Technique T1027.013: Encrypted/Encoded File Enterprise uses · Technique T1003.008: /etc/passwd and /etc/shadow Enterprise uses · Technique T1546.004: Unix Shell Configuration Modification Enterprise uses · Technique T1588.002: Tool Enterprise uses · Technique T1105: Ingress Tool Transfer Enterprise uses · Technique T1059.006: Python Enterprise uses · Technique T1016: System Network Configuration Discovery Enterprise uses · Technique T1068: Exploitation for Privilege Escalation Enterprise uses · Technique T1496.001: Compute Hijacking Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
dbc482902ccfa428...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle dbc482902ccf…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Oligo ShadowRay Campaign MAR 2024

    Lumelsly, A. et al. (2024, March 26). ShadowRay: First Known Attack Campaign Targeting AI Workloads Actively Exploited In The Wild. Retrieved December 2, 2024.

    Open source URL
  2. [2]
    mitre-attack C0045
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use