NadMesh Botnet Is Quietly Raiding Unprotected AI Servers for Cloud Keys

A new Go-based botnet is scanning the internet for popular AI tools left exposed online, and its own dashboard brags about nearly 4,000 stolen Amazon cloud keys.

ThreatVectr Newsdesk· 3 min read
Full-frame edge-to-edge photoreal news-editorial image of a dimly lit server rack in a data centre, one panel glowing with a soft green status light, faint blue
Share

Key points

  • A new botnet called NadMesh appeared in early July 2025 and specifically hunts for exposed artificial intelligence services on the public internet.
  • The operator's own dashboard claims 3,811 unique Amazon Web Services access keys collected so far.
  • NadMesh targets six popular AI tools that teams often set up quickly and forget to lock down: ComfyUI, Ollama, n8n, Open WebUI, Langflow, and Gradio.
  • The botnet uses Shodan, a search engine that indexes internet-connected devices, to keep finding fresh targets.

There is a new botnet crawling the internet, and it is picking on a very specific victim: the AI server your team spun up last month and forgot about.

It is called NadMesh. It is written in Go, a programming language popular with modern malware authors because it compiles into fast, portable files. It surfaced in early July 2025, first reported by The Hacker News.

A botnet, for readers who have not met one before, is a network of hacked machines that a single operator controls remotely. Think of it as a rented army of other people's computers.

What makes NadMesh interesting is what it hunts.

What is NadMesh actually looking for?

It is looking for AI tools that companies put on the internet without a password, or with a weak one. The operator uses Shodan, which is basically Google for internet-connected servers, to keep a rolling list of targets.

The shopping list is specific. NadMesh scans for ComfyUI and Gradio, which are interfaces used to run image generators and machine-learning demos. It scans for Ollama and Open WebUI, which let teams run large language models on their own hardware. It also scans for n8n and Langflow, which are workflow builders that string AI services together with other business tools.

All six are the sort of software that a data scientist or a curious engineer installs in an afternoon. They are powerful. They are also frequently left wide open, because the person who set them up assumed nobody would find the server.

Somebody found the server.

Why do the hackers want AI servers?

Because of what is stored on them. These tools often hold API keys, which are like digital passwords that let software talk to cloud services on your behalf.

NadMesh's own control panel, which researchers were able to peek at, claims 3,811 unique AWS access keys harvested. AWS is Amazon Web Services, the cloud platform a huge chunk of the internet runs on. A stolen AWS key can be used to spin up expensive servers on the victim's bill, usually to mine cryptocurrency, or to quietly copy data out of the victim's cloud storage.

The botnet also grabs Kubernetes tokens. Kubernetes is the software that orchestrates cloud applications at scale, and its tokens are the equivalent of handing someone the keys to the whole server farm.

So this is not really a novel AI attack. Strip away the branding and it is credential theft, the same web-security primitive that has been draining cloud accounts for a decade. The twist is that AI tools have become the softest target, because they get deployed by teams who are focused on the model, not the firewall.

What should you do if your company runs any of these tools?

Check whether any of them are reachable from the open internet. If they are, put them behind a login, a VPN, or your company's single sign-on system today.

Rotate any API keys or tokens stored inside those tools. Assume that if the service was exposed for any length of time, the credentials on it are burned.

Ordinary customers do not need to do anything specific here. But if you use a product from a small company that leans heavily on AI, and you start seeing strange charges or account activity, this is one of the reasons why.

© 2026 Threat Vectr