CVE-2026-33017 in the Wild: Tracking NATS C2, AWS Theft, and AI Model Hijacking

Security teams monitoring AI infrastructure should be on high alert: unpatched instances of Langflow are being actively weaponized. While the immediate impact of CVE-2026-33017 is Remote Code Execution (RCE), the secondary stage of this attack is far more sophisticated. Threat actors are leveraging these breaches as initial access vectors to exfiltrate AWS credentials and enroll compromised nodes into a specialized, NATS-backed worker pool known as “KeyHunter.”

The vulnerability, which has been officially added to the CISA Known Exploited Vulnerabilities (KEV) catalog, targets Langflow’s public flow-building endpoint. Because the endpoint allows for unauthenticated arbitrary Python execution, an attacker can essentially execute code within the context of the application, granting them direct access to sensitive environment variables and application-level secrets.

Telemetry from a recent incident reveals a methodical, multi-stage reconnaissance pattern. The operator spent approximately 10 hours probing the victim’s perimeter—specifically targeting LMDeploy and LiteLLM surfaces—before identifying the Langflow instance as the path of least resistance for a credential-harvesting cycle.

At 09:12 UTC, the exploit was successfully triggered against the Langflow public flow API. The attacker performed a rapid dump of the process environment, successfully extracting AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY directly from memory. This allowed for immediate lateral movement into the victim’s cloud estate.

The Sysdig Threat Research Team (TRT) observed this pivot in real-time. Within minutes of the RCE, the actor invoked sts:GetCallerIdentity to validate the stolen keys. Once confirmed, they initiated a broad reconnaissance sweep across various AWS services, including S3, EC2, Lambda, and IAM.

Of particular concern is the targeting of AWS Bedrock. By issuing calls such as Bedrock:InvokeModel and Bedrock:ListModelInvocationJobs, the attackers engaged in “LLMjacking”—a technique designed to hijack access to high-performance foundation models like Claude and Llama 3, effectively running expensive inference workloads on the victim’s dime.

The Architecture of KeyHunter: Using NATS as a C2 Channel

What differentiates this campaign from standard credential harvesting is the sophisticated Command-and-Control (C2) infrastructure. Rather than relying on traditional HTTP-based panels or common chat apps like Telegram, the operator utilized a hardened NATS server to coordinate a distributed botnet of workers.

The NATS-as-C2 tool chain (Source : Sysdig).
The NATS-as-C2 tool chain (Source : Sysdig).

The KeyHunter ecosystem utilizes both Python and Go-based worker binaries. These workers are designed to scrape code-sharing platforms—such as CodePen, JSFiddle, and StackBlitz—to find leaked API keys. The coordination is handled via a NATS endpoint (45.192.109.25:14222), which is configured with strict subject-level Access Control Lists (ACLs).

This architectural choice demonstrates a high level of operational maturity. The NATS server enforces least privilege at the messaging layer. For example, when a worker attempted to broadcast a heartbeat on an unauthorized subject, the server rejected the request. This ensures that even if a single worker node is identified and captured by defenders, the attacker’s primary C2 bus remains insulated, preventing the defender from pivoting back to the controller or observing other worker traffic.

The Go-based workers leverage NATS JetStream pull consumers. This ensures that tasks (such as task.validate_aws or task.scan_web) are durably queued; if a worker node goes offline or is neutralized, the task is simply re-delivered to another available node in the pool.

Persistence (Source : Sysdig).
Persistence (Source : Sysdig).

To maintain long-term presence, the workers are deployed via a deploy.sh script that installs them as systemd services. These services are configured with Restart=always and elevated file-descriptor limits (up to 65,535), optimizing the infrastructure for high-concurrency web scraping and persistent uptime on commodity VPS instances.

Technical analysis of the binaries reveals advanced evasion techniques. The Go worker utilizes uTLS to mimic legitimate browser TLS fingerprints and employs a headless-browser sidecar to bypass bot-detection mechanisms on JavaScript-heavy sites like CodeSandbox. The regex patterns integrated into the workers are highly specialized, targeting not only cloud credentials (AWS, OpenAI, Anthropic) but also Stripe, Slack, and various database connection strings.

While the threat actor’s overall OPSEC is somewhat lacking—evidenced by a failure to scrub system logs and the presence of leaked Windows file paths in Go binaries—the functional capability of the KeyHunter botnet is significant. The group prioritizes scalable, resilient infrastructure over total stealth.

Defense Recommendation: Organizations must immediately patch Langflow instances. Furthermore, security monitoring should extend beyond traditional web traffic to include anomalous activity within message brokers like NATS, and continuous auditing of AWS Bedrock/AI service usage to detect “LLMjacking” attempts.

Indicators of Compromise (IoCs)

Indicator Type
45.192.109.25:14222 NATS C2
159.89.205.184:8888 Staging HTTP
File Name SHA-256 Hash Size
worker-linux-amd64 dbee863ad2a39f939be2c7ed76f7d5a8fe000aad2d2b2d32b3e8ec3ee42f1c25 9,453,752
keyhunter_worker.py 323bbf3064d4b83df7920d752636b1acb36f462e58609a815bd8084d1e6b004c 10,979
deploy.sh 16b279aa018c64294d58280636e538f86e3dd9bdcb5734c203373394b72d101a 1,424

Note: IP addresses and domains are provided for research purposes. Ensure all indicators are re-fanged (e.g., adding [.]) before being ingested into standard documentation to prevent accidental execution.

Related Articles

Back to top button