A sharp structural shift has been identified in the botnet landscape. Security researchers at XLab have uncovered NadMesh, a Go-based botnet that has been spreading rapidly since early July 2026.

This malware marks a distinct evolution from opportunistic worm behavior toward an industrial-grade, ROI-driven attack platform aimed squarely at Artificial Intelligence (AI) and Model Context Protocol (MCP) infrastructure.

Unlike traditional worms that spread indiscriminately, NadMesh combines autonomous scanning, over 20 unique exploitation vectors, and Shodan-powered intelligence harvesting into a single closed-loop system its operator refers to as the “n4d mesh controller”.

NadMesh Uses Shodan to Find and Hijack Exposed AI

The most distinctive feature of NadMesh is a dedicated reconnaissance module named ai_harvest.py. This script programmatically queries the Shodan API for exposed AI and automation services, specifically profiling applications such as ComfyUI, Ollama, n8n, Open WebUI, Langflow, and Gradio.

Once exposed services are mapped, the malware automatically injects the discovered IP addresses into its scanning queue at the highest priority tier.

This methodology mirrors a broader threat trend already observed across cloud ecosystems where automated scanners sweep cloud IP ranges for unauthenticated instances vulnerable to remote code execution.

By outsourcing initial reconnaissance tasks to Shodan rather than relying solely on slow, resource-heavy brute-force internet scanning, NadMesh’s operators can immediately zero in on live AI deployments instead of wasting bandwidth on dead address space.

Cybercriminals continuously optimize these infrastructure scanning workflows, reminiscent of multi-stage operations like the EncryptHub campaign that systematically target internal corporate networks.

Comprehensive intelligence detailing conversion funnels, binary compilation patterns, and active infection clusters can be reviewed in the comprehensive NadMesh Botnet Analysis report.

Operator dashboard tracking active bot counts, harvested credentials, and task metrics. (Image Source : xlab)

The botnet’s operation runs through five tightly coordinated stages: intelligence gathering, centralized control, autonomous task supply, polymorphic binary construction, and active delivery. The central controller listens on ports 80 and 8443, utilizing HMAC-authenticated beacons to manage its fleet of compromised bots.

It also exposes an advanced web management panel equipped with conversion-funnel analytics, automated canary updates, and real-time operational visibility—features far more typical of enterprise commercial software than traditional malicious code.

Once an endpoint is infected, bot agents establish redundant persistence layers using SSH authorized-key backdoors, multiple hidden binary duplicates, and cron-based watchdog processes to ensure that removing any single artifact fails to clear the infection.

The malware actively scans 30 distinct ports covering enterprise web services, Kubernetes clusters, database management systems, container APIs, and internal monitoring tools. AI service ports receive strict prioritization during these sweeps, particularly:

  • Port 8188: ComfyUI
  • Port 11434: Ollama
  • Port 5678: n8n
  • Port 7860: Gradio

Its exploitation arsenal spans over 20 vectors, targeting MCP JSON-RPC tool calls, malicious Kubernetes pod creation, Docker API container escapes, unauthenticated Redis instances, Elasticsearch remote code execution (RCE), Jenkins Script Console components, and legacy flaws like WebLogic deserialization.

Chart capturing the percentage distribution of different RCE exploit targets
Chart capturing the percentage distribution of different RCE exploit targets (Image Source : xlab)
Target Attack Surface Primary Exploitation Vector Implicated Severity Risk
MCP Servers JSON-RPC tools/call -> execute_command execution loops High
Kubernetes Malicious pod creation paired with hostPath mount overrides High
Docker API Privileged container creation to facilitate escape sequences High
Redis Infrastructure Unauthenticated CONFIG SET file write operations High
AI Services Shodan-sourced prioritization of ComfyUI, Ollama, n8n, and Gradio High

Beyond establishing an initial access foothold, compromised hosts are thoroughly mined for high-value architectural data.

The malware actively extracts AWS access keys, Amazon Bedrock credentials, Kubernetes ServiceAccount tokens with cluster-admin scopes, local Docker configurations, and comprehensive inventories of locally hosted AI models (including Llama2, Mistral, and active GPT-4 API tokens). It also harvests access configurations for exploitable internal MCP tools like execute_sql and execute_shell.

All recovered data is funneled back to a central dashboard that tracks aggregate certificate counts, active MCP vulnerabilities, and escapable Docker hosts—threat intelligence that proves far more lucrative to the operator than the compromised compute resources themselves.

Architecture schema mapping
Architecture schema mapping (Image Source : xlab)

To evade signature-based detection mechanisms, NadMesh applies Garble obfuscation and UPX compression, ensuring that every dynamically deployed binary carries a completely unique cryptographic hash.

Furthermore, it features an automated honeypot-avoidance mechanism that blacklists any IP address that fails to yield successful infection results after ten consecutive deployment attempts.

Administrators running active machine learning pipelines must continually deploy modern cyber attack simulation tools to evaluate their models’ exposure to these automated architectural pivots.

Indicators of Compromise (IOCs)

  • Command and Control (C2) IP Node: 209.99.186.235
  • C2 Content Delivery Network Domain: cdnorigin.net