New NadMesh Botnet Hunts Revealed AI Services for Cloud Keys and Kubernetes Tokens

Go botnet hit NadMesh appeared in early July hunting exposed AI services, and the user dashboard is looking for 3,811 unique AWS keys.
Shodan Harvester keeps the scan line full of ComfyUI, Ollama, n8n, Open WebUI, Langflow, and Gradio: graphic generators, scene model runners, and workflow builders for teams to get up and running quickly and firewall late.
Intel’s feed behind that counter shows 47 warranties and 41 model inventories in its last 100 records. Those listings have DeepSeek, GLM, and Kimi identifiers marked with :cloud, suggesting that what the bots catalog reaches is more than the box itself.
QiAnXin’s XLab published a report on Friday, naming the malware behind the thread “n4d mesh controller” in its source, and capturing the panel. The figures on it are from a co-worker, photographed on July 10, and do not match.
The counter reads 17,700 total feeds sitting above the 95,700 funnel in the last 24 hours. One tile says 16 active bots; the next one is 12. The minimum confirmation number is the one it says twice. XLab’s own sensors provide an external estimate, and it’s not a bot count: a different source of IPs pushing NadMesh stayed close to zero at the end of June, then became vertical in the first week of July to about 139 per day.
How the bot gets home cloud keys extracted from environment variables, k8s service account tokens, and the contents of ~/.aws/config, .env, and ~/.docker/config.json.
The researchers put it clearly: the operator follows “not the host itself, but the credentials of the cloud, the rights of the Kubernetes cluster” to it. Sample access and callable MCP tools list.
MCP leads the order of priority for exploit controller, in addition to Kubernetes, Docker API, and Redis, and Vector XLab records on its side tools/JSON-RPC call to issue_command. There is no CVE attached to that line, and the report does not require one.
The initial MCP specification places authentication outside the core protocol entirely, and the authentication flow added in March 2025 is still optional in the spec’s own words. Most submissions are skipped. Censys counted 12,520 accessible MCP services across 8,758 IP addresses as of April 28, more than 21,000 on May 6, and about 90 advertise the tool using commands.
For 39 of those, the tool was named execute_command, which is the top call to NadMesh’s table. The botnet’s MCP counters disagree: 12,100 MCP resources listed as exploitable, 21 MCP vulnerabilities in total, and none at all among the 100 intel records on the screen.
And then there’s what XLab watched thrown at it. The company charts the exploit traffic it has seen, and docker_containers_api_rce accounts for 30.31% of it, jenkins_scripttext_rce another 22.28%. Telnet weak passwords take 10.36%, Redis 8.29%.

mcp_cmd_execute is on the chart, so the vector is in XLab’s observed traffic, but it sits in the unlabeled tail below the smallest slice anyone bothers to label, at 0.78%. Chart labels are not the same as controller status strings, so they are XLab’s sensor view of attempts, not the operator’s success ledger.
So AI targeting is real for capture and looting, and most exploit traffic still goes to Docker sockets and Jenkins consoles.
Scanning is automatic. The subnets that produce the most densely resampled hits every five minutes; IPs marked dangerous in the last 24 hours return quarterly as a /32 port scan by AI first; a full sweep drags everything marked as dangerous in the last seven days back to the top.
Any target that takes ten attempts to use without returning an effect is blacklisted as a suspected honeypot. XLab takes that as a sign that the author knows researchers are watching. If the queue runs dry, the bots generate a random /24 and move on.
Five versions of the build work simultaneously, eleven bots in 33.8-GO-TITAN, and stragglers back in 30.0. The canary endpoint includes a new build of the fleet, 5,448 provided responses, and 84,024 missing. The funnel tracks activities down through the feed to live hosts.

The panel’s own footnote says: success is found in the resulting consensus list that clearly excludes Ollama and AWS yields. The operator’s scoreboard does not count what the operator takes.
Removal is designed to fail. An agent insists in three ways at once, so pulling one leaves others to pull it back. Each plot goes through Garble obfuscation, UPX -9 packing, and random paddings, meaning no two agents share a hash. The published hash sample will catch that build and miss the rest.
If You Use Any Of These
Much of what NadMesh throws at is aimed at exposed services and admin functionality left unchecked: open Docker API to 2375, Jenkins script console, unauthorized Redis, weak Telnet, and SSH passwords. There is no patch that covers any of those.
Find them after auth or close the public Internet, starting with four ports the priority scanning operation: 8188 (ComfyUI), 11434 (Ollama), 7860 (Gradio), and 5678 (n8n).
There is also a patch line, and not all of them are old. The chart covers CVE-2026-39987, a pre-authorization RCE in Marimo notebooks before 0.23.0. CISA included it in KEV in April after it was used within hours of its disclosure.
Next to it sits CVE-2026-41176, which allows an unauthenticated caller of flip rc.NoAuth on rclone RC servers from 1.45.0 to 1.73.5 to be launched without HTTP auth. rclone configs cloud credentials. Older entries require your conditions to be checked before you panic: CVE-2022-22947 at 6.48% only bites if the Spring Cloud Gateway Actuator endpoint is enabled and exposed as insecure, and CVE-2017-12611 at 4.15% is a Struts Freemarker tag bug.
Then check out the pull methods:
- ~/.ssh/authorized_keys, no one remembers to add keys
- /dev/shm/.a, /var/tmp/.a, /tmp/.a
- /etc/cron.d/.sys_monitor, /etc/cron.d/.s
If any of these appear, disconnect the host and revoke all the credentials I can see immediately: AWS keys, cluster tokens, .env content, registry logins. Withdrawal is not rotating. Pull the trigger before you remove the replacement, or the new keys will go the way of the old ones.
Then review what the old ones were used for when they were alive. XLab indexes are C2 at 209.99.186[.]235, domain cdorigin[.]net, and one agent sample, SHA1 31c69b3e12936abca770d430066f379ec1d997ec.
Hacker News covered a different operator working on the same target class in April: Censys discovered that farming exposed ComfyUI for GPU mining, Monero, and Conflux, and the Hysteria proxy node for resale. Three months on, NadMesh is sweeping a much wider net, but exposed ComfyUI and Docker on 2375 remain on both target lists.
What changed was the payment: April’s operator wanted a GPU, and NadMesh wanted what the box could fit. Censys ended its MCP calculation by speculating about the worst effect of all those exposed shell tools, a host that shuts down “part of a future botnet or abuse infrastructure.” That was May 27. XLab published the botnet with mcp_cmd_execute in its exploit chart seven weeks later.



