Hackers exploit Langflow flaw to push Monero miner in March-April campaign

by

Threat actors exploited a critical Langflow remote code execution flaw in a 19-day campaign from March 27 to April 15, 2026, to deploy a Monero miner and spread to other systems, according to a technical analysis from Trend Micro.

KEY FACTS

  • Vulnerability CVE-2026-33017 is an unauthenticated remote code execution flaw in Langflow.
  • Payload The campaign used a shell script dropper, a Go-based binary called lambsys, and a custom XMRig miner.
  • Targeting The malware scanned exposed AI application endpoints and later used SSH keys to reach other hosts.
  • Defense evasion It disabled security tools, removed logs, and tampered with files tied to persistence.

The report said a single line of Python code entered through an unauthenticated Langflow API endpoint downloaded a shell script, fetched a miner binary, and launched it in the background. The operation also tried to stop rival miners linked to Kinsing, WatchDog, Rocke and Outlaw.

The malware removed immutable attributes from files such as ~/.ssh/authorized_keys, /etc/crontab, /etc/ld.so.preload, /tmp/ and /var/tmp/, then reapplied protection to some directories after making changes. It also disabled AppArmor, UFW, iptables, SELinux, the kernel NMI watchdog and Alibaba Cloud’s Aliyun agent.

After persistence was set, the binary contacted the same server to retrieve a TAR archive containing a tailored XMRig miner and then deleted the archive. It also queried ipinfo.io for the host’s public IP address and location, which could help with pool selection and regional filtering.

Trend Micro said an older artifact of the same binary was compiled in May 2024, suggesting the family has been under development for more than two years. The company also noted that Langflow vulnerabilities have seen active abuse before, including a separate flaw exploited in 2025 to spread Flodrix botnet malware.

WHY IT MATTERS

The campaign shows how exposed AI application endpoints can be turned into entry points for cryptomining and lateral movement. It also highlights the need to secure Langflow instances and other internet-facing AI services before attackers use them for initial access.