• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Hunters International ransomware gang shuts down and offers free decryption keys to all victims

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 52

 | 

Security Affairs newsletter Round 531 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

North Korea-linked threat actors spread macOS NimDoor malware via fake Zoom updates

 | 

Critical Sudo bugs expose major Linux distros to local Root exploits

 | 

Google fined $314M for misusing idle Android users' data

 | 

A flaw in Catwatchful spyware exposed logins of +62,000 users

 | 

China-linked group Houken hit French organizations using zero-days

 | 

Cybercriminals Target Brazil: 248,725 Exposed in CIEE One Data Breach

 | 

Europol shuts down Archetyp Market, longest-running dark web drug marketplace

 | 

Kelly Benefits data breach has impacted 550,000 people, and the situation continues to worsen as the investigation progresses

 | 

Cisco removed the backdoor account from its Unified Communications Manager

 | 

U.S. Sanctions Russia's Aeza Group for aiding crooks with bulletproof hosting

 | 

Qantas confirms customer data breach amid Scattered Spider attacks

 | 

CVE-2025-6554 is the fourth Chrome zero-day patched by Google in 2025

 | 

U.S. CISA adds TeleMessage TM SGNL flaws to its Known Exploited Vulnerabilities catalog

 | 

A sophisticated cyberattack hit the International Criminal Court

 | 

Esse Health data breach impacted 263,000 individuals

 | 

Europol dismantles €460M crypto scam targeting 5,000 victims worldwide

 | 

CISA and U.S. Agencies warn of ongoing Iranian cyber threats to critical infrastructure

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Malware
  • News Flodrix botnet targets vulnerable Langflow servers

News Flodrix botnet targets vulnerable Langflow servers

Pierluigi Paganini June 18, 2025

Attackers exploit CVE-2025-3248 in Langflow servers to deliver Flodrix botnet via downloader scripts, Trend Research reports.

Trend Research uncovered an ongoing campaign exploiting the vulnerability CVE-2025-3248 to deliver the Flodrix botnet. Attackers exploit the flaw to run scripts on Langflow servers, downloading and installing Flodrix malware.

“If the vulnerability is successfully exploited, threat actors behind the Flodrix botnet can cause full system compromise, DDoS attacks, and potential loss or exposure of sensitive information hosted on affected Langflow servers.” reads the report published by Trend Research.

In May, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the Langflow flaw CVE-2025-3248 (CVSS score of 9.8) to its Known Exploited Vulnerabilities (KEV) catalog.

Langflow is a popular tool used for building agentic AI workflows. 

CVE-2025-3248 is a code injection vulnerability in the /api/v1/validate/code endpoint. A remote, unauthenticated attacker can exploit it by sending crafted HTTP requests to execute arbitrary code. The flaw impacts versions prior to 1.3.0.

Researchers from cybersecurity firm Horizon3.ai discovered the vulnerability and pointed out that it is easily exploitable.

“Remote code execution is easy now – just stick the payload into a decorator. Here’s an example of landing a Python reverse shell, targeting a vulnerable host at 10.0.220.200.” reads a post published by Horizon3.ai.

Langflow

“Interactive RCE is possible by raising an Exception from the decorator.”

After the CVE was published, another researcher published a POC exploit for this vulnerability that abused default arguments in Python functions. These are also modeled as expressions in Python and get executed when a function is defined.

Trend Micro researchers spotted the attacker using an open-source code proof of concept (PoC) to target vulnerable systems and enable code execution and payload delivery. 

Threat actors exploit the public PoC code to install Flodrix malware, which can launch DDoS attacks.

The researchers reported that attackers are scanning the internet for unpatched Langflow servers, using tools like Shodan. Then attackers gain shell access and run bash commands for reconnaissance, gathering details like system users, environment variables, and network settings. Once satisfied, they download and execute the Flodrix botnet malware from a remote server. Flodrix connects to a C&C server, enabling DDoS attacks. If run with invalid parameters, the malware deletes itself, likely as a way to test target compatibility. The vulnerability stems from insecure Python code validation that allows unauthenticated code execution.

“The malware supports two communication channels with its C&C server: one over standard TCP and another over the Tor network. By default, it establishes a socket connection with the C&C server using the TCP channel.” states the report.

The analysis of the attack chain shows that after exploiting CVE-2025-3248, attackers run a bash script named “docker” that downloads and executes Flodrix botnet ELF binaries for various system types. The script checks system output to verify success and deletes the file if a specific message appears. It avoids killing critical system processes and uses multiple methods (wget, curl, tftp) to ensure file download. Once a file runs successfully, execution stops. The presence of several variants suggests ongoing development and multiple active campaigns.

The payload is a new LeetHozer malware variant using stealth tactics like self-deletion, artifact removal, and string obfuscation to evade detection and analysis.

“Notably, this version supports dual communication channels with its C&C infrastructure over both TCP and UDP channels. Once connected, it can receive commands over TCP to launch various distributed denial-of-service (DDoS) attacks. ” continues the report.

Trend Micro experts obserbed that the Flodrix botnet sample shares traits with a known variant, like the XOR key and traffic structure, but also introduces notable changes. These include altered response headers, new encrypted DDoS attack types, and added configuration options. A major enhancement is process enumeration via the /proc directory. If suspicious processes are found (e.g., systemd, busybox, or those running from /tmp), the malware terminates them and sends detailed kill reports to its C&C via UDP on port 50445.

“The new sample also notably enumerates the running processes by opening /proc directory to access all running processes. It iterates through the directory entries to filter out valid process identifiers (PIDs) and fetches detailed information about them, such as command names, execution paths, and command-line arguments.” concludes the report, which includes Indicators of Compromise (IOCs). “Then, the malware compares the running process with specific process such as init, systemd, watchdog, busybox and /bin/busybox. Additionally, it checks if the process is running from /tmp directory. If a process matches the conditions, it sends signals to terminate it and sends a notification message starts with “KILLDETAIL|” to the C&C over port 50445 over UDP with terminated process details.”

Once installed, Flodrix sets up communications with a remote server to receive commands over TCP in order to launch distributed denial-of-service (DDoS) attacks against target IP addresses of interest. The botnet also supports connections over the TOR anonymity network.

“Since Langflow does not enforce input validation or sandboxing, these payloads are compiled and executed within the server’s context, leading to [remote code execution],” the researchers said. “Based on these steps, the attacker is likely profiling all vulnerable servers and uses the collected data to identify high-value targets for future infections.”

Trend Micro said it identified the unknown threat actors to be hosting different downloader scripts on the same host used to fetch Flodrix, suggesting that the campaign is undergoing active development.

Flodrix is assessed to be an evolution of another botnet called LeetHozer that’s linked to the Moobot group. The improved variant incorporates the ability to discreetly remove itself, minimize forensic traces, and complicate analysis efforts by obfuscating command-and-control (C2) server addresses and other important indicators.

“Another significant change is the introduction of new DDoS attack types, which are now also encrypted, adding a further layer of obfuscation,” Trend Micro said. “The new sample also notably enumerates the running processes by opening /proc directory to access all running processes.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Flodrix botnet)


facebook linkedin twitter

Flodrix botnet Hacking hacking news information security news IT Information Security malware Pierluigi Paganini Security Affairs Security News

you might also like

Pierluigi Paganini July 06, 2025
Hunters International ransomware gang shuts down and offers free decryption keys to all victims
Read more
Pierluigi Paganini July 06, 2025
SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 52
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Hunters International ransomware gang shuts down and offers free decryption keys to all victims

    Cyber Crime / July 06, 2025

    SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 52

    Security / July 06, 2025

    Security Affairs newsletter Round 531 by Pierluigi Paganini – INTERNATIONAL EDITION

    Breaking News / July 06, 2025

    North Korea-linked threat actors spread macOS NimDoor malware via fake Zoom updates

    Malware / July 05, 2025

    Critical Sudo bugs expose major Linux distros to local Root exploits

    Security / July 04, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT