New Go-based P2P RAT/cryptominer targets AI environments via Ollama API exploitation (port 11434). Malware 'vc' uses libp2p for decentralized C2, evades detection with RAM disk storage, process renaming, and UPX obfuscation.

In brief - A sophisticated Go-based malware leverages Ollama API flaws to deploy a P2P RAT and XMRig miner, bypassing traditional defenses with decentralized networking and stealth techniques. AI environments are at risk due to supply chain and API exploitation.

Technically - The 'vc' binary (Go 1.25.7, UPX-packed with fake header) exploits Ollama’s `/api/create` endpoint to fetch `i.sh`, which deploys the payload. It uses libp2p (WebRTC/QUIC/DTLS/UPnP) for resilient P2P C2, stores itself in `/dev/shm/.udev-mesh-node`, and renames processes to `kworker`. Persistence via crontab, local mining proxy (127.0.0.1:41947), and 50% CPU-capped XMRig. Monitor outbound QUIC/WebSocket traffic for anomalies.

Source: https://www.akamai.com/blog/security-research/2026/may/stealthy-p2p-cryptominer-ollama-endpoints

#Cybersecurity #ThreatIntel