CVE-2026-33017 in the Wild: Tracking NATS C2, AWS Theft, and AI Model Hijacking
Security teams monitoring AI infrastructure should be on high alert: unpatched instances of Langflow are being actively weaponized. While the immediate impact of CVE-2026-33017 is Remote Code Execution (RCE), the secondary stage of this attack is far more sophisticated. Threat actors are leveraging these breaches as initial access vectors to exfiltrate AWS credentials and enroll compromised nodes into a specialized, NATS-backed worker pool known as “KeyHunter.”
The vulnerability, which has been officially added to the CISA Known Exploited Vulnerabilities (KEV) catalog, targets Langflow’s public flow-building endpoint. Because the endpoint allows for unauthenticated arbitrary Python execution, an attacker can essentially execute code within the context of the application, granting them direct access to sensitive environment variables and application-level secrets.
Telemetry from a recent incident reveals a methodical, multi-stage reconnaissance pattern. The operator spent approximately 10 hours probing the victim’s perimeter—specifically targeting LMDeploy and LiteLLM surfaces—before identifying the Langflow instance as the path of least resistance for a credential-harvesting cycle.
At 09:12 UTC, the exploit was successfully triggered against the Langflow public flow API. The attacker performed a rapid dump of the process environment, successfully extracting AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY directly from memory. This allowed for immediate lateral movement into the victim’s cloud estate.
The Sysdig Threat Research Team (TRT) observed this pivot in real-time. Within minutes of the RCE, the actor invoked sts:GetCallerIdentity to validate the stolen keys. Once confirmed, they initiated a broad reconnaissance sweep across various AWS services, including S3, EC2, Lambda, and IAM.
Of particular concern is the targeting of AWS Bedrock. By issuing calls such as Bedrock:InvokeModel and Bedrock:ListModelInvocationJobs, the attackers engaged in “LLMjacking”—a technique designed to hijack access to high-performance foundation models like Claude and Llama 3, effectively running expensive inference workloads on the victim’s dime.
The Architecture of KeyHunter: Using NATS as a C2 Channel
What differentiates this campaign from standard credential harvesting is the sophisticated Command-and-Control (C2) infrastructure. Rather than relying on traditional HTTP-based panels or common chat apps like Telegram, the operator utilized a hardened NATS server to coordinate a distributed botnet of workers.

The KeyHunter ecosystem utilizes both Python and Go-based worker binaries. These workers are designed to scrape code-sharing platforms—such as CodePen, JSFiddle, and StackBlitz—to find leaked API keys. The coordination is handled via a NATS endpoint (45.192.109.25:14222), which is configured with strict subject-level Access Control Lists (ACLs).
This architectural choice demonstrates a high level of operational maturity. The NATS server enforces least privilege at the messaging layer. For example, when a worker attempted to broadcast a heartbeat on an unauthorized subject, the server rejected the request. This ensures that even if a single worker node is identified and captured by defenders, the attacker’s primary C2 bus remains insulated, preventing the defender from pivoting back to the controller or observing other worker traffic.
The Go-based workers leverage NATS JetStream pull consumers. This ensures that tasks (such as task.validate_aws or task.scan_web) are durably queued; if a worker node goes offline or is neutralized, the task is simply re-delivered to another available node in the pool.

To maintain long-term presence, the workers are deployed via a deploy.sh script that installs them as systemd services. These services are configured with Restart=always and elevated file-descriptor limits (up to 65,535), optimizing the infrastructure for high-concurrency web scraping and persistent uptime on commodity VPS instances.
Technical analysis of the binaries reveals advanced evasion techniques. The Go worker utilizes uTLS to mimic legitimate browser TLS fingerprints and employs a headless-browser sidecar to bypass bot-detection mechanisms on JavaScript-heavy sites like CodeSandbox. The regex patterns integrated into the workers are highly specialized, targeting not only cloud credentials (AWS, OpenAI, Anthropic) but also Stripe, Slack, and various database connection strings.
While the threat actor’s overall OPSEC is somewhat lacking—evidenced by a failure to scrub system logs and the presence of leaked Windows file paths in Go binaries—the functional capability of the KeyHunter botnet is significant. The group prioritizes scalable, resilient infrastructure over total stealth.
Defense Recommendation: Organizations must immediately patch Langflow instances. Furthermore, security monitoring should extend beyond traditional web traffic to include anomalous activity within message brokers like NATS, and continuous auditing of AWS Bedrock/AI service usage to detect “LLMjacking” attempts.
Indicators of Compromise (IoCs)
| Indicator | Type |
|---|---|
| 45.192.109.25:14222 | NATS C2 |
| 159.89.205.184:8888 | Staging HTTP |
| File Name | SHA-256 Hash | Size |
|---|---|---|
| worker-linux-amd64 | dbee863ad2a39f939be2c7ed76f7d5a8fe000aad2d2b2d32b3e8ec3ee42f1c25 | 9,453,752 |
| keyhunter_worker.py | 323bbf3064d4b83df7920d752636b1acb36f462e58609a815bd8084d1e6b004c | 10,979 |
| deploy.sh | 16b279aa018c64294d58280636e538f86e3dd9bdcb5734c203373394b72d101a | 1,424 |
Note: IP addresses and domains are provided for research purposes. Ensure all indicators are re-fanged (e.g., adding [.]) before being ingested into standard documentation to prevent accidental execution.