Executive Summary
The newly discovered Cloud AI Infrastructure (CAI) attack framework utilizes LLM-assisted code generation to compromise exposed Docker APIs, Kubernetes nodes, and Redis servers, actively evicting competitor botnets.

A sophisticated, highly territorial cloud-native threat has emerged, targeting unsecured developer and deployment tools across public cloud environments. Officially cataloged as the Cloud AI Infrastructure Attack Framework (CAI), this new worm utilizes LLM-assisted code generation to dynamically compile payloads and exploit exposed APIs. Once inside, the worm steals cloud provider credentials, deploys cryptocurrency mining software, and actively evicts rival botnets—including the prominent PCPJack and TeamPCP malware—to monopolize server resources.

CAI Cloud Worm LLM-Assisted Threat Banner

The Evolution of the Cloud Malware Turf War

Cloud-native resources (specifically exposed developer endpoints, staging clusters, and unpatched dashboard interfaces) have long been prime targets for automated scanners looking to hijack compute capacity. Traditionally, compromise resulted in the deployment of basic Monero miners or static remote access trojans (RATs).

However, as cloud infrastructure expanded to support machine learning frameworks, AI agent sandboxes, and vector databases, malware groups evolved. Hacking collectives began deploying "territorial" malware designed to scan infected systems for competitor files, kill competing processes, and secure the compromised environment for their own use.

The CAI framework represents the latest step in this turf war. Unlike basic script-kiddie tools, CAI is a modular attack suite that dynamically adjusts its payload based on the targeted server's environment. Security analysts tracking the campaign have observed a significant rise in compromised staging instances running Docker daemon sockets, Redis databases, Kubernetes Kubelets, and exposed Ray dashboards.

Anatomy of the CAI Cloud Worm Attack

The CAI worm executes a multi-stage attack lifecycle designed to achieve remote code execution (RCE), harvest credentials, deploy miners, and secure system resources:

1. Target Scanning & RCE Exploitation

The worm continually scans the public internet and local network subnets for exposed management ports:

  • Docker API: TCP port 2375 (unauthenticated daemon access).
  • Kubernetes Kubelet/etcd: TCP ports 10250 and 2379.
  • Redis: TCP port 6379 (exposed without passwords).
  • Ray Dashboard: TCP port 8265 (frequently left open on AI training nodes).

Upon discovering an exposed port, CAI sends a targeted exploit payload to achieve initial execution in a high-privilege container.

2. LLM-Assisted Dynamic Payload Compiling

Once initial execution is achieved, CAI runs a localized reconnaissance script. This script gathers details about the host's operating system, kernel version, CPU architecture, and active security agents.

Rather than downloading a static binary from a repository—which would trigger automated signature detection rules—the worm contacts its command-and-control (C2) server. Security researchers have found that the C2 server uses an integrated LLM backend to dynamically write and compile a custom shellcode binary optimized for the target host's specific configuration. This LLM-assisted malware generation allows the worm to evade traditional file-signature-based antivirus scanners.

3. Competitor Eviction (The Turf War)

After establishing persistence, CAI initiates a cleanup routine. The worm scans the host's active process list, network connections, and cron jobs for known competitor signatures, specifically targeting files associated with TeamPCP and the PCPJack toolset.

Any rival mining scripts are terminated, their configurations deleted, and the ports they used are bound to local loopback addresses to prevent reinfection.

4. Cryptomining and Credential Harvesting

With the host cleared of rivals, CAI deploys a resource-constrained Monero (XMR) miner. Unlike older malware that immediately consumed 100% of CPU capacity—triggering cloud provider alerts—CAI dynamically limits its CPU utilization (typically to 45–60%), allowing it to run undetected in the background for longer periods.

Simultaneously, the worm harvests credentials from the host, looking for:

  • AWS, Azure, and Google Cloud CLI configuration files (~/.aws/credentials).
  • Git configuration files and SSH keys.
  • Environment variables containing API keys, database passwords, or Web3 wallet private keys.

These credentials are encrypted and exfiltrated to the C2 server, providing the attackers with access to the victim's broader cloud organization.

CAI Worm Attack Execution Pipeline

CAI Worm vs. PCPJack vs. TeamPCP

The turf war highlights the key differences between these competing malware families:

CapabilityTeamPCPPCPJackCAI Cloud Worm
Target VectorUnsecured databasesExposed Docker APIsDocker, Kubernetes, Redis, Ray
Primary PayloadMonero CryptominerCredential harvesterCryptominer + Credential thief
AI IntegrationNone (Static shell scripts)NoneLLM-assisted shellcode compiler
CPU Consumption100% (High visibility)None (Low visibility)45-60% (Dynamic throttle)
Competitor EvictionMinimalEvicts TeamPCPPurges both PCPJack and TeamPCP

While the original PCPJack campaign focused entirely on credential harvesting without deploying cryptominers, the CAI worm combines both tactics. It uses automated competitor eviction to secure the host's CPU cycles for mining, while exfiltrating credentials to fund future infrastructure attacks.

Malware Turf War Capability Comparison Matrix

Mitigation Guidelines for Platform Engineering Teams

To protect cloud infrastructure from the CAI worm and related botnets, engineering teams should implement the following security measures:

Disable Public Ports: Ensure that Docker APIs (2375), Redis endpoints (6379), Kubernetes etcd (2379), and Ray dashboards (8265) are not exposed to the public internet. Use Virtual Private Clouds (VPCs), security groups, and local firewalls to restrict access to trusted internal IP ranges.

Audit Staging and Sandbox Instances: The rise of autonomous developer environments and sandbox runtimes (such as Windsurf and Devin Desktop platforms) often leads to staging instances being spun up with loose security configurations. Audit these instances regularly to ensure they follow corporate security baselines.

Implement Runtime Threat Detection: Deploy agent-based runtime protection (like Sysdig Falco or AWS GuardDuty) on Kubernetes nodes and container hosts. Look for alerts signaling:

  • Unexpected shell executions inside containers.
  • Outbound connections to known cryptomining pools.
  • Cryptomining signatures (such as Sysdig’s JadePuffer analysis, discussed in the JadePuffer ransomware threat report).

Rotate Cloud Credentials regularly: Use IAM roles, temporary service account tokens, and automated secrets rotation to limit the utility of exfiltrated credentials. If AWS config files are leaked, immediately invalidate the associated access keys.


Sources: The Register Cyber Crime Exclusive · Cybersecurity Threat Reports July 2026


## Frequently Asked Questions
What is the CAI cloud worm? The Cloud AI Infrastructure (CAI) attack framework is a sophisticated, LLM-assisted cloud worm that targets exposed container APIs, databases, and AI developer tools to harvest credentials and mine cryptocurrency.
Which systems are targeted by the CAI worm? The worm targets exposed Docker APIs (port 2375), Kubernetes Kubelet/etcd (ports 10250/2379), Redis databases (port 6379), and Ray Dashboards (port 8265).
How does the LLM-assisted compilation work? After scanning a victim host, the worm sends host environment details to a command-and-control server. The server uses an integrated LLM backend to dynamically write and compile a custom binary optimized for that specific host, evading signature-based antivirus scanners.
How does CAI deal with rival malware? The CAI worm is territorial. It scans the process list of infected hosts for rival tools like PCPJack and TeamPCP, terminates their scripts, deletes their configs, and binds their target ports to local addresses to prevent reinfection.
What are the best defense practices against CAI? Organizations should block public access to database and container ports, run container runtime threat detection, audit temporary developer sandboxes, and enforce IAM credential rotation.
Vatsal Shah

Vatsal Shah

Technical Project Manager & Solution Architect

I write code, ship agentic systems, and advise boards from India and global HQ — 15+ years across BFSI, GCC, and Fortune-scale cloud programs. If you need architecture that survives audit, start here.

View credentials →