(akamai.com) Sophisticated Go-Based P2P RAT and Cryptominer Targets AI Environments via Ollama API Exploitation
-
(akamai.com) Sophisticated Go-Based P2P RAT and Cryptominer Targets AI Environments via Ollama API Exploitation
New Go-based P2P RAT/cryptominer targets AI environments via Ollama API exploitation (port 11434). Malware 'vc' uses libp2p for decentralized C2, evades detection with RAM disk storage, process renaming, and UPX obfuscation.
In brief - A sophisticated Go-based malware leverages Ollama API flaws to deploy a P2P RAT and XMRig miner, bypassing traditional defenses with decentralized networking and stealth techniques. AI environments are at risk due to supply chain and API exploitation.
Technically - The 'vc' binary (Go 1.25.7, UPX-packed with fake header) exploits Ollama’s `/api/create` endpoint to fetch `i.sh`, which deploys the payload. It uses libp2p (WebRTC/QUIC/DTLS/UPnP) for resilient P2P C2, stores itself in `/dev/shm/.udev-mesh-node`, and renames processes to `kworker`. Persistence via crontab, local mining proxy (127.0.0.1:41947), and 50% CPU-capped XMRig. Monitor outbound QUIC/WebSocket traffic for anomalies.
Source: https://www.akamai.com/blog/security-research/2026/may/stealthy-p2p-cryptominer-ollama-endpoints
-
R relay@relay.infosec.exchange shared this topic
