NATS-as-C2: Critical Langflow Exploit Exploded to Fuel “LLMjacking” and Cloud Credential Theft

Forensic specialists from Sysdig have intercepted an anomalous command architecture governing a malicious network, wherein the adversaries abandoned conventional HTTP and instant-messaging channels for command-and-control operations. In their stead, the operators weaponized NATS—a high-performance messaging platform typically reserved by cloud engineers for distributed microservice architectures. This unprecedented implementation has been designated NATS-as-C2.

The intrusion has been definitively linked to the exploitation of CVE-2026-33017 within the Langflow platform, an unauthenticated remote code execution defect that has already been inducted into the Known Exploited Vulnerabilities catalog maintained by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). During the intrusion cycle, an adversary operating from the IP address 159.89.205.184 staged a Python module and a Go-based binary onto the compromised server, subsequently attempting a container breakout utilizing the legacy DirtyPipe and DirtyCreds exploit vectors.

The defining characteristic of this operation was the centralized NATS cluster listening at 45.192.109.25:14222, through which the operators orchestrated the fleet of compromised nodes. The communication fabric enforced strict authentication and access control lists (ACLs); consequently, an compromised endpoint could exclusively dispatch execution telemetry and heartbeat signals, remaining structurally isolated from the command queues of adjacent nodes. This design severely complicates botnet takeover attempts and prevents a single compromised server from revealing the totality of the malicious network.

The malicious framework has been tracked under the moniker KeyHunter. The platform’s primary objective is the systematic harvesting and validation of cloud credentials and artificial intelligence API keys. The deployed Python module was engineered to scrape tokens from public frontend sandboxes favored by developers, including CodePen, JSFiddle, StackBlitz, and CodeSandbox, operating on the premise that engineers frequently abandon functional keys for OpenAI, Anthropic, Amazon Web Services, and corollary vendors within transient test repositories.

Upon isolating a potential token, the software instantaneously validated its viability. For Amazon Web Services, the implant invoked the sts:GetCallerIdentity routine to ascertain the identity and privilege echelon of the compromised key. For artificial intelligence providers, the utility queried the model vendors’ APIs directly. Through this methodology, the operators secured parallel dominion over traditional cloud infrastructures and premium generative AI systems.

Operational logs demonstrate that prior to deploying the KeyHunter payload, the adversary dedicated nearly ten hours to credential harvesting across disparate application layers. The attacker initially enumerated exposed instances of LMDeploy and LiteLLM before pivoting to Langflow. Following the successful exploitation of CVE-2026-33017, the operator dumped the environment variables of the running process, exfiltrating the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.

Subsequently, the adversaries initiated mass programmatic queries against Amazon’s web services, probing Bedrock, S3, EC2, Lambda, ECS, and SageMaker. The operators exhibited an intense focus on Amazon Bedrock models, attempting to weaponize the illicit keys to run large language models at the victim’s expense—a technique structurally defined as LLMjacking, wherein interlopers effectively steal premium, computationally intensive AI resources.

A deep analysis of the Go binary revealed that the KeyHunter developers invested considerable engineering effort into evading perimeter security controls. The implant integrated the uTLS library to realistically simulate the TLS fingerprints of Chrome, Firefox, Safari, and contemporary mobile browsers, successfully bypassing bot-detection mechanisms deployed by Cloudflare and adjacent content delivery networks.

Furthermore, the architecture supported automated headless browser orchestration to scrape dynamic, client-side rendered layouts, and retained dozens of distinct data-extraction templates tailored for specific platforms. The developers built redundant fallbacks for each target service to ensure that superficial structural changes to a vendor’s website interface would not compromise the utility’s collection cycle.

The initialization script established the keyhunter-worker daemon as a persistent service within systemd, ensuring it survived system reboots. Conversely, the threat actors demonstrated a remarkable indifference to operational stealth; Sysdig analysts surmise that the operators rely on cheap, ephemeral virtual private servers, choosing to forgo the overhead of complex anti-forensic concealment mechanisms.

Sysdig strongly implores administrators to upgrade Langflow installations to a remediated version that neutralizes CVE-2026-33017, block all network connectivity to the indicators 45.192.109.25:14222 and 159.89.205.184:8888, and comprehensively rotate all AWS, OpenAI, Anthropic, and HuggingFace tokens that may have resided within vulnerable Langflow environments.

Analysts conclude that NATS-as-C2 may herald a nascent trend among botnet architects. Because NATS natively provisions robust authorization matrices, resilient message queuing, and seamless horizontal scaling out of the box, adversaries are no longer burdened with constructing complex, bespoke command-and-control software from scratch.