• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Operation CargoTalon targets Russia’s aerospace with EAGLET malware,

 | 

Unpatched flaw in EoL LG LNV5110R cameras lets hackers gain Admin access

 | 

Koske, a new AI-Generated Linux malware appears in the threat landscape

 | 

Mitel patches critical MiVoice MX-ONE Auth bypass flaw

 | 

Coyote malware is first-ever malware abusing Windows UI Automation

 | 

SonicWall fixed critical flaw in SMA 100 devices exploited in Overstep malware attacks

 | 

DSPM & AI Are Booming: $17.87B and $4.8T Markets by 2033

 | 

Stealth backdoor found in WordPress mu-Plugins folder

 | 

U.S. CISA adds CrushFTP, Google Chromium, and SysAid flaws to its Known Exploited Vulnerabilities catalog

 | 

U.S. CISA urges FCEB agencies to fix two Microsoft SharePoint flaws immediately and added them to its Known Exploited Vulnerabilities catalog

 | 

Sophos fixed two critical Sophos Firewall vulnerabilities

 | 

French Authorities confirm XSS.is admin arrested in Ukraine

 | 

Microsoft linked attacks on SharePoint flaws to China-nexus actors

 | 

Cisco confirms active exploitation of ISE and ISE-PIC flaws

 | 

SharePoint under fire: new ToolShell attacks target enterprises

 | 

CrushFTP zero-day actively exploited at least since July 18

 | 

Hardcoded credentials found in HPE Aruba Instant On Wi-Fi devices

 | 

MuddyWater deploys new DCHSpy variants amid Iran-Israel conflict

 | 

U.S. CISA urges to immediately patch Microsoft SharePoint flaw adding it to its Known Exploited Vulnerabilities catalog

 | 

Microsoft issues emergency patches for SharePoint zero-days exploited in "ToolShell" attacks

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Malware
  • News Flodrix botnet targets vulnerable Langflow servers

News Flodrix botnet targets vulnerable Langflow servers

Pierluigi Paganini June 18, 2025

Attackers exploit CVE-2025-3248 in Langflow servers to deliver Flodrix botnet via downloader scripts, Trend Research reports.

Trend Research uncovered an ongoing campaign exploiting the vulnerability CVE-2025-3248 to deliver the Flodrix botnet. Attackers exploit the flaw to run scripts on Langflow servers, downloading and installing Flodrix malware.

“If the vulnerability is successfully exploited, threat actors behind the Flodrix botnet can cause full system compromise, DDoS attacks, and potential loss or exposure of sensitive information hosted on affected Langflow servers.” reads the report published by Trend Research.

In May, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the Langflow flaw CVE-2025-3248 (CVSS score of 9.8) to its Known Exploited Vulnerabilities (KEV) catalog.

Langflow is a popular tool used for building agentic AI workflows. 

CVE-2025-3248 is a code injection vulnerability in the /api/v1/validate/code endpoint. A remote, unauthenticated attacker can exploit it by sending crafted HTTP requests to execute arbitrary code. The flaw impacts versions prior to 1.3.0.

Researchers from cybersecurity firm Horizon3.ai discovered the vulnerability and pointed out that it is easily exploitable.

“Remote code execution is easy now – just stick the payload into a decorator. Here’s an example of landing a Python reverse shell, targeting a vulnerable host at 10.0.220.200.” reads a post published by Horizon3.ai.

Langflow

“Interactive RCE is possible by raising an Exception from the decorator.”

After the CVE was published, another researcher published a POC exploit for this vulnerability that abused default arguments in Python functions. These are also modeled as expressions in Python and get executed when a function is defined.

Trend Micro researchers spotted the attacker using an open-source code proof of concept (PoC) to target vulnerable systems and enable code execution and payload delivery. 

Threat actors exploit the public PoC code to install Flodrix malware, which can launch DDoS attacks.

The researchers reported that attackers are scanning the internet for unpatched Langflow servers, using tools like Shodan. Then attackers gain shell access and run bash commands for reconnaissance, gathering details like system users, environment variables, and network settings. Once satisfied, they download and execute the Flodrix botnet malware from a remote server. Flodrix connects to a C&C server, enabling DDoS attacks. If run with invalid parameters, the malware deletes itself, likely as a way to test target compatibility. The vulnerability stems from insecure Python code validation that allows unauthenticated code execution.

“The malware supports two communication channels with its C&C server: one over standard TCP and another over the Tor network. By default, it establishes a socket connection with the C&C server using the TCP channel.” states the report.

The analysis of the attack chain shows that after exploiting CVE-2025-3248, attackers run a bash script named “docker” that downloads and executes Flodrix botnet ELF binaries for various system types. The script checks system output to verify success and deletes the file if a specific message appears. It avoids killing critical system processes and uses multiple methods (wget, curl, tftp) to ensure file download. Once a file runs successfully, execution stops. The presence of several variants suggests ongoing development and multiple active campaigns.

The payload is a new LeetHozer malware variant using stealth tactics like self-deletion, artifact removal, and string obfuscation to evade detection and analysis.

“Notably, this version supports dual communication channels with its C&C infrastructure over both TCP and UDP channels. Once connected, it can receive commands over TCP to launch various distributed denial-of-service (DDoS) attacks. ” continues the report.

Trend Micro experts obserbed that the Flodrix botnet sample shares traits with a known variant, like the XOR key and traffic structure, but also introduces notable changes. These include altered response headers, new encrypted DDoS attack types, and added configuration options. A major enhancement is process enumeration via the /proc directory. If suspicious processes are found (e.g., systemd, busybox, or those running from /tmp), the malware terminates them and sends detailed kill reports to its C&C via UDP on port 50445.

“The new sample also notably enumerates the running processes by opening /proc directory to access all running processes. It iterates through the directory entries to filter out valid process identifiers (PIDs) and fetches detailed information about them, such as command names, execution paths, and command-line arguments.” concludes the report, which includes Indicators of Compromise (IOCs). “Then, the malware compares the running process with specific process such as init, systemd, watchdog, busybox and /bin/busybox. Additionally, it checks if the process is running from /tmp directory. If a process matches the conditions, it sends signals to terminate it and sends a notification message starts with “KILLDETAIL|” to the C&C over port 50445 over UDP with terminated process details.”

Once installed, Flodrix sets up communications with a remote server to receive commands over TCP in order to launch distributed denial-of-service (DDoS) attacks against target IP addresses of interest. The botnet also supports connections over the TOR anonymity network.

“Since Langflow does not enforce input validation or sandboxing, these payloads are compiled and executed within the server’s context, leading to [remote code execution],” the researchers said. “Based on these steps, the attacker is likely profiling all vulnerable servers and uses the collected data to identify high-value targets for future infections.”

Trend Micro said it identified the unknown threat actors to be hosting different downloader scripts on the same host used to fetch Flodrix, suggesting that the campaign is undergoing active development.

Flodrix is assessed to be an evolution of another botnet called LeetHozer that’s linked to the Moobot group. The improved variant incorporates the ability to discreetly remove itself, minimize forensic traces, and complicate analysis efforts by obfuscating command-and-control (C2) server addresses and other important indicators.

“Another significant change is the introduction of new DDoS attack types, which are now also encrypted, adding a further layer of obfuscation,” Trend Micro said. “The new sample also notably enumerates the running processes by opening /proc directory to access all running processes.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Flodrix botnet)


facebook linkedin twitter

Flodrix botnet Hacking hacking news information security news IT Information Security malware Pierluigi Paganini Security Affairs Security News

you might also like

Pierluigi Paganini July 25, 2025
Operation CargoTalon targets Russia’s aerospace with EAGLET malware,
Read more
Pierluigi Paganini July 25, 2025
Unpatched flaw in EoL LG LNV5110R cameras lets hackers gain Admin access
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Operation CargoTalon targets Russia’s aerospace with EAGLET malware,

    Intelligence / July 25, 2025

    Unpatched flaw in EoL LG LNV5110R cameras lets hackers gain Admin access

    Security / July 25, 2025

    Koske, a new AI-Generated Linux malware appears in the threat landscape

    Malware / July 25, 2025

    Mitel patches critical MiVoice MX-ONE Auth bypass flaw

    Security / July 25, 2025

    Coyote malware is first-ever malware abusing Windows UI Automation

    Malware / July 24, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT