Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
5 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Older entries need their conditions checked before you panic: CVE-2022-22947 at 6.48% only bites if the Spring Cloud Gateway Actuator endpoint is enabled and exposed unsecured. | A Go botnet called NadMesh turned up in early July hunting exposed AI services, and the operator's own dashboard claims 3,811 unique AWS keys.
...and CVE-2017-12611 at 4.15% is the Struts Freemarker tag flaw. | A Go botnet called NadMesh turned up in early July hunting exposed AI services, and the operator's own dashboard claims 3,811 unique AWS keys.
The chart includes CVE-2026-39987, the pre-auth RCE in Marimo notebooks before 0.23.0. CISA put it on KEV in April after it was exploited within hours of disclosure. | A Go botnet called NadMesh turned up in early July hunting exposed AI services, and the operator's own dashboard claims 3,811 unique AWS keys.
Next to it sits CVE-2026-41176, which lets an unauthenticated caller flip rc.NoAuth on rclone RC servers from 1.45.0 up to 1.73.5 that were started without HTTP auth. rclone configs are cloud credentials. | A Go botnet called NadMesh turned up in early July hunting exposed AI services, and the operator's own dashboard claims 3,811 unique AWS keys.
WebLogic Deserialization RCE Medium CVE-2016-0638 and others | Because its controller calls itself n4d mesh controller in the source, we named it NadMesh. NadMesh is not a one-off worm outbreak. It is a continuously iterated, autonomous botnet aimed squarely at AI infrastructure and the MCP ecosystem.
26 distinct techniques documented for this family, organized by ATT&CK tactic.
Then check the drop paths: ~/.ssh/authorized_keys... /etc/cron.d/.sys_monitor, /etc/cron.d/.s
hidden cron watchdogs (/etc/cron.d/.sys_monitor, /etc/cron.d/.s). Remove any one and the others bring it back.
Then check the drop paths: ~/.ssh/authorized_keys... /etc/cron.d/.sys_monitor, /etc/cron.d/.s
hidden cron watchdogs (/etc/cron.d/.sys_monitor, /etc/cron.d/.s). Remove any one and the others bring it back.
Every build goes through Garble obfuscation, UPX -9 packing, and random padding, which means no two agents share a hash.
Garble symbol/literal obfuscation, UPX-9 packing, and random padding
Serves the initial infection shell script ... /cdn/<binaryToken>/assets/img.bin open Binary distribution disguised as a static asset ... spoofed nginx headers
The agent simultaneously performs ... internal network scanning ... internal_ranges: ["10.0.0.0/8", "172.16.0.0/12"]
A Shodan harvester keeps the scan queue stocked with ComfyUI, Ollama, n8n, Open WebUI, Langflow, and Gradio... Subnets that produce hits get resampled more densely every five minutes... If the queue runs dry, bots generate a random /24 and keep going.
metadata.profile: hostname, os, arch, kernel ... services ... in_container
SSH/Telnet Weak credential brute force ... ssh_deploy ... SSH public-key backdoor (.ssh/authorized_keys)
3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Go-based botnet targeting exposed AI services and admin interfaces to steal cloud credentials, Kubernetes privileges, model access, and callable MCP tools. It scans for services such as ComfyUI, Ollama, n8n, Open WebUI, Langflow, and Gradio, and also exploits exposed Docker API, Jenkins script console, Redis, Telnet, SSH, and MCP command-execution functionality. It persists through multiple mechanisms and uses Garble obfuscation and UPX packing to vary agent hashes.
A Go-based autonomous botnet that combines internet-scale scanning, exploitation across 20+ vectors, credential and AI-service intelligence harvesting, polymorphic builds, and redundant persistence. It targets exposed AI infrastructure and MCP-related services, steals cloud and environment credentials, establishes SSH and cron-based persistence, and propagates laterally via controller-directed and peer-assisted scanning.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.