AI gateways are increasingly being targeted as organizations connect generative AI applications to cloud services such as Amazon Bedrock.
These gateways sit between users, business applications, and large language models, making them an attractive entry point into enterprise networks.
Darktrace recently investigated a compromised Amazon Web Services EC2 instance named “LiteLLM-Proxy.” The instance appeared to operate as an AI gateway connected to Amazon Bedrock through an Identity and Access Management role.
After the suspected compromise, the server downloaded XMRig cryptomining malware and repeatedly connected to known mining infrastructure.
AI gateways manage authentication, model routing, logging, policy controls, and access to foundation models. Because they often hold cloud permissions and service credentials, compromising one can expose more than a single server.
Hackers Target AI Gateways
Attackers may gain access to cloud identities, sensitive prompts, AI model services, application workflows, and connected resources.
The Darktrace investigation began on June 12, 2026, when the company detected active cryptomining behavior from the LiteLLM-Proxy EC2 instance. The host had an SSH port exposed to the internet, allowing inbound traffic from any IP address.
Darktrace observed a high volume of short-lived SSH connection attempts, including traffic from the IP address 145.241.123[.]102.

Although investigators could not confirm that an SSH login succeeded, the exposed service and brute-force-like activity made SSH a possible initial access route.
Internet-facing cloud services remain a common target for attackers looking to exploit weak passwords, exposed credentials, vulnerable software, or insecure configurations.
Key Attack Stages
Internet-Exposed SSH Access: The LiteLLM Proxy AI gateway exposed SSH (port 22), enabling possible brute-force attempts.
XMRig Payload Download: The compromised EC2 instance downloaded XMRig cryptomining malware.
Mining Pool Communication: The host connected to a cryptomining pool over HTTPS.
Active Cryptomining: The attackers hijacked cloud resources to mine cryptocurrency (MITRE ATT&CK T1496).
Suspicious IAM Activity: Unusual AWS CLI activity suggested credential misuse or persistence attempts.
Before the mining activity began, the affected instance downloaded approximately MB of data from 185.62.1[.]8 over HTTP. The endpoint appeared to host a ZIP archive containing XMRig, a widely abused open-source cryptocurrency miner.
Shortly afterward, the server started making repeated HTTPS connections to pool. hasvault[.]pro, a domain associated with cryptomining infrastructure.
Using HTTPS over port could make the traffic appear normal when viewed in isolation. However, behavioral monitoring identified the destination, repeated connection pattern, and unusual activity as indicators of resource hijacking.
Darktrace escalated the event after detecting active cryptocurrency mining on the cloud workload. Investigators also identified suspicious IAM activity the next day.
An IAM user accessed AWS services via the AWS Command-Line Interface from a Vietnam-based IP address, which was unusual for the account.
The user attempted actions including GetSendQuota, ListFoundationModels, InvokeModel, and CreateUser. The failed Amazon Bedrock commands may indicate attempted model discovery or unauthorized model access.

The CreateUser attempt also raised concerns about persistence, as attackers often create new cloud accounts to preserve access after stealing credentials.
Darktrace could not conclusively link the IAM activity to the compromised AI gateway. The incident demonstrates that AI infrastructure should be protected like any other critical cloud workload.
| IOC Category | Value |
|---|---|
| Affected Asset | LiteLLM Proxy EC2 Instance |
| Initial Access IP | 145.241.123[.]102 |
| Exposed Service | SSH (Port 22) |
| Payload Hosting IP | 185.62.1[.]8 |
| Malware | XMRig |
| Mining Pool Domain | pool.hasvault[.]pro |
| Suspicious IAM Source IP | 14.176.1[.]47 |
| Suspicious AWS Activity | GetSendQuota, ListFoundationModels, InvokeModel, CreateUser |
| MITRE ATT&CK Techniques | T1133, T1078, T1059, T1136, T1526, T1496 |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Organizations should restrict SSH access, avoid long-term access keys, apply least-privilege IAM policies, monitor AI gateway logs, and track unusual outbound network traffic.
As AI gateways centralize access to models and cloud services, they are becoming high-impact targets. Defenders must correlate identity, workload, network, and cloud control-plane activity to detect compromises before attackers expand from cryptomining into broader enterprise operations.
Stop Accepting SLAs Written for 2019 SOCs – Here’s the 2026 AI SLA Vendor Checklist – Download Free AI SOC SLA Guide