Threat actors are continuing to exploit a critical Langflow vulnerability as part of fresh attacks designed to deliver a Monero cryptocurrency miner.
The activity has been found to weaponize CVE-2026-33017 (CVSS score: 9.3), an unauthenticated remote code execution (RCE) vulnerability in Langflow, indicating threat actors are scanning and targeting exposed artificial intelligence (AI) application endpoints for obtaining initial access to enterprise networks. The attack was observed over a 19-day window between March 27 and April 15, 2026.
“In this campaign, a single line of Python code evaluated inside an unauthenticated Langflow API endpoint pulls down a shell script, fetches a miner binary, and launches it detached,” Trend Micro researchers Simon Dulude and John Zhang said in a technical report published last week.
At a high level, the malware is designed to terminate competing cryptocurrency miner processes associated with Kinsing, WatchDog, Rocke, and Outlaw, delete rival wallet and key material, disable host-level security controls, establish cron-based persistence, beacon to an external server (“83.142.209[.]214:80), and deploy a custom miner. It can also propagate to other systems through reused SSH keys, effectively turning an exposed Langflow instance into a pathway for broader compromise.
This involves exploiting the Langflow flaw to run an attacker-supplied Python script, which, in turn, is configured to launch a remotely hosted shell script that acts as a dropper whose primary responsibility is to check if a binary called “lambsys” is already running on the host.
Subsequently, it downloads the binary on the machine using curl or wget, launches it as a detached process, and spreads itself to every SSH-reachable host the victim can authenticate to. The binary, an ELF executable written in Go, is also engineered to disable AppArmor, Ubuntu’s Uncomplicated Firewall, iptables, SELinux, the kernel NMI watchdog, and Alibaba Cloud’s Aliyun agent.
In addition, the malware removes system logs to cover up the tracks, and removes the immutable attribute from files like “~/.ssh/,” “~/.ssh/authorized_keys,” “/etc/crontab,” and “/etc/ld.so.preload,” “/tmp/,” “/var/tmp/,” and “/var/spool/cron” in order to make its modifications, and then reapplies the immutable attribute to “/tmp/” and “/var/tmp/.”
Illicit cryptocurrency mining operations are known to set the “chattr +i” attribute on these files to ensure that they cannot be modified, renamed, or deleted by any user, including the superuser. The binary’s behavior reflects that the threat actor behind the operation is aware of persistence methods adopted by rival cryptojacking groups.
In the final stage, the binary contacts the same server to fetch a TAR archive and extracts from it a bespoke XMRig miner. Once the miner begins execution, the archive file is wiped from the file system. It further sends a request to ipinfo[.]io to obtain the host’s public IP address and location, allowing the threat actors to make operational decisions on the fly.
The first is pool selection. Given that mining pools tend to be geographically distributed, connecting the miner to a pool near the victim can minimize latency and maximize hash rate. The second reason behind obtaining this information is geo-fencing, as it gives the threat actors a way to exclude victims in certain regions.
“Lambsys does not run its attack logic as Go functions,” the researchers explained. “Instead, it forks a cascade of short-lived sh -c subprocesses, each executing one shell command (one pkill, one chattr, one sysctl). The design trades stealth for reliability. If one of 51 pkill commands fails, the failure is contained to that subprocess, and the other 50 carry on.”
Trend Micro said an artifact belonging to the previous iteration of the same binary was compiled in May 2024, indicating that the threat actors behind the campaign have likely been iterating on the family for over two years, while taking steps to evade detection by antivirus tools.
Over the past year, a number of security flaws in Langflow have come under active exploitation. In June 2025, another critical vulnerability (CVE-2025-3248, CVSS score: 9.8) was abused to distribute the Flodrix botnet malware.
“This cryptocurrency-mining campaign shows how exposed AI application endpoints are becoming another route into enterprise environments,” Trend Micro said. “The payload might be familiar, but the delivery vector is not. A Langflow vulnerability gives commodity cryptominer operators a new front door into systems running AI application infrastructure.”
