Oligo Security has identified an active global hacking campaign known as ShadowRay 2.0, which exploits a vulnerability (CVE-2023-48022) in the Ray open-source AI framework. This flaw allows attackers to perform remote code execution, seizing control of computing clusters and turning them into a self-replicating botnet. The campaign began around early November 2025, quickly shifting from GitLab to GitHub after Oligo reported the malicious activity. Attackers are now using various accounts and repositories on GitHub to continue their operations, which include cryptojacking and launching DDoS attacks. What sets this campaign apart is the attackers' use of AI to enhance their methods. They generate payloads using large language models, adapting their strategies to maximize CPU resources while evading detection. The attackers maintain a low CPU usage of about 60% and disguise malicious processes as legitimate services. Their activities have compromised Ray clusters across multiple continents, with evidence suggesting that the operation may have started as early as September 2024. Currently, over 230,000 Ray servers are exposed to the internet, significantly up from the few thousand noted during the initial discovery of the vulnerability. The campaign illustrates a clear evolution from the original ShadowRay attacks in March 2024, which focused on exploiting exposed Ray servers to mine cryptocurrency and steal data. Despite updates and guidance from Ray's maintainers for secure deployment, many users continue to expose their servers to the internet, increasing the risk of exploitation. The ongoing nature of this campaign highlights systemic issues within the deployment of AI frameworks and the need for rigorous security measures.