From Langflow to Monero: Inside CVE-2026-33017 Cryptominer
A cryptocurrency-mining campaign is actively exploiting CVE-2026-33017, an unauthenticated RCE vulnerability in Langflow, to deploy the lambsys malware. The attack chain involves a bash dropper that establishes SSH-based lateral movement, followed by a Go-based payload that systematically disables Linux security controls, eliminates rival miners, and deploys a customized XMRig miner.
- cve
- cve
- filenameisp.shInitial bash dropper script that establishes SSH lateral movement.
- filenamelambsys.elfMain Go-based malware payload responsible for defense evasion and miner deployment.
- ip83[.]142[.]209[.]214Primary C2 server hosting payloads and receiving status beacons.
- ip94[.]156[.]64[.]241Older C2 server associated with the 2024 variant of the lambsys malware.
- md546096a72d84db5f1dafd944fcf6571c8Hardcoded MD5 hash of the ks.tar miner payload archive.
- urlhxxp://83[.]142[.]209[.]214:8080/isp[.]shURL used to download the initial bash dropper script.
- urlhxxp://83[.]142[.]209[.]214:8080/ks[.]tarURL used to download the customized XMRig miner payload archive.
- urlhxxp://83[.]142[.]209[.]214:80/setup_status[.]phpSecondary C2 endpoint used for status reporting.
- urlhxxp://83[.]142[.]209[.]214:80/status[.]phpC2 endpoint used by the lambsys malware for periodic status beaconing.
- urlhxxp://94[.]156[.]64[.]241/r[.]phpC2 endpoint used by the older 2024 variant.
Detection / HunterGoogle
What Happened
Cybercriminals are exploiting a vulnerability in a popular AI tool called Langflow to break into corporate networks. Once inside, they install malicious software that disables security protections, spreads to other connected computers using stolen SSH keys, and secretly mines cryptocurrency. This can severely slow down computer systems and increase cloud computing costs. Organizations using Langflow should immediately update their software, block public internet access to these systems, and check for signs of unauthorized access.
Key Takeaways
- Threat actors are exploiting CVE-2026-33017, an unauthenticated RCE vulnerability in Langflow, to deploy cryptocurrency miners.
- The attack chain uses a Python primitive to download a bash dropper (isp.sh) that establishes SSH-based lateral movement.
- The main payload (lambsys) is a Go-based binary that systematically disables Linux security controls, eliminates rival miners, and establishes persistence.
- The malware deploys a customized XMRig miner (procq) to mine Monero while beaconing status updates to a C2 server.
- Organizations should restrict public access to Langflow instances and update to version 1.9.0 or later.
Affected Systems
- Langflow instances exposed to the public internet
- Linux operating systems (Ubuntu, RHEL/CentOS)
- Alibaba Cloud infrastructure (Aliyun agent targeted)
Vulnerabilities (CVEs)
- CVE-2026-33017
- CVE-2025-3248
Attack Chain
The attack begins with an unauthenticated POST request to a Langflow API endpoint, exploiting CVE-2026-33017 to execute a Python command. This command downloads and runs a bash script (isp.sh) that establishes SSH-based lateral movement and fetches the main Go-based payload (lambsys). The lambsys binary systematically kills rival cryptominers, disables host security controls like AppArmor and SELinux, and establishes persistence via cron jobs and a watchdog script. Finally, it downloads a customized XMRig miner (procq) to mine Monero while beaconing status updates to a C2 server.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: Yes
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
- Platforms: Emerging Threats, Suricata
The article notes that the C2 IP triggers Emerging Threats rule 2400010 due to being on the Spamhaus DROP list, and geo-IP checks trigger Suricata SID 2054168.
Detection Engineering Assessment
EDR Visibility: High — The malware executes numerous noisy shell commands (chattr, sysctl, userdel, pkill, iptables) that are highly visible to EDR process creation and command-line logging. Network Visibility: Medium — C2 traffic is unencrypted HTTP (port 80 and 8080), making it visible to network sensors, though the payload uses standard JSON and spoofed User-Agents to blend in. Detection Difficulty: Moderate — While the initial exploit blends in with web traffic, the post-exploitation activity is extremely noisy and modifies multiple system configurations, making it relatively easy to detect if basic Linux telemetry is collected.
Required Log Sources
- Process Execution Logs (Event ID 4688 / Sysmon Event ID 1)
- Network Traffic Logs
- Web Server Access Logs
- Cron Execution Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for Python processes spawning shell interpreters (sh or bash) with curl or wget commands, indicating potential RCE exploitation. | Process Execution | Execution | Low |
| Search for chattr commands modifying permissions on /tmp, /var/tmp, or SSH directories, which is indicative of malware establishing persistence or evading removal. | Process Execution | Defense Evasion | Low |
| Monitor for the execution of userdel targeting non-standard accounts like akay or vfinder, suggesting rival cryptominer eviction. | Process Execution | Impact | Very Low |
| Detect outbound HTTP POST requests to /status.php or /setup_status.php using the Go-http-client/1.1 User-Agent, indicating potential C2 beaconing. | Network Traffic | Command and Control | Low |
| Look for the creation of hidden directories with unusual spacing (e.g., ./. /. /) or hidden files in /var/tmp/ like .xlamb. | File Creation | Defense Evasion | Low |
Control Gaps
- Lack of egress filtering for standard HTTP ports (80/8080)
- Unrestricted SSH lateral movement via known_hosts without MFA
- Missing authentication on exposed AI application endpoints
Key Behavioral Indicators
- Process ancestry showing Langflow/Python spawning curl/wget
- Execution of sysctl kernel.nmi_watchdog=0
- Creation of /var/spool/cron/crontabs/tmp.* files
- DNS queries to ipinfo.io from application servers
False Positive Assessment
- Low. The combination of specific file paths (/var/tmp/.xlamb), unique dropper names (isp.sh), and the targeted deletion of specific rival miner accounts (akay, vfinder) provides highly specific indicators with minimal overlap with legitimate administrative activity.
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Identify and isolate any Langflow instances exposed to the public internet.
- Update Langflow to version 1.9.0 or later to patch CVE-2026-33017.
- Review SSH known_hosts and authorized_keys on affected systems and consider rotating exposed SSH keys.
Infrastructure Hardening
- Evaluate whether AI application endpoints require public internet access and restrict them behind VPNs or zero-trust proxies.
- Consider implementing egress filtering to block outbound connections to known malicious IPs and mining pool ports (e.g., 3333, 4444).
- Ensure that services like Langflow run with the principle of least privilege, avoiding root execution.
User Protection
- If applicable, enforce MFA for SSH access to prevent lateral movement via stolen keys.
- Consider deploying EDR solutions on Linux servers to monitor for defense evasion and unauthorized process execution.
Security Awareness
- Educate development and DevOps teams on the risks of deploying unauthenticated AI tools and frameworks to production environments.
MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
- T1059.004 - Command and Scripting Interpreter: Unix Shell
- T1059.006 - Command and Scripting Interpreter: Python
- T1053.003 - Scheduled Task/Job: Cron
- T1562.001 - Impair Defenses: Disable Tools
- T1562.004 - Impair Defenses: Disable Firewall
- T1222 - File Permissions Modification
- T1021.004 - Remote Services: SSH
- T1496 - Resource Hijacking
- T1531 - Account Access Removal
Additional IOCs
- Urls:
hxxp://83[.]142[.]209[.]214:80/setup_status.php- Secondary C2 endpoint used for status reporting.hxxp://94[.]156[.]64[.]241/r.php- C2 endpoint used by the older 2024 variant.
- File Paths:
/var/tmp/.xlamb/- Hidden persistence directory created by the dropper./var/tmp/init_rmount- Path to the persistence watchdog script../. /. /procq- Obfuscated directory path used to hide the extracted XMRig miner./var/tmp/check_process.log- Log file created by the cron watchdog script.
- Command Lines:
- Purpose: Initial RCE payload execution via Langflow vulnerability | Tools:
python,curl,sh| Stage: Initial Access |__import__('os').system('curl - Purpose: Unlocking directories for persistence installation | Tools:
chattr| Stage: Defense Evasion |chattr -iua /tmp/ - Purpose: Removing rival miner accounts | Tools:
userdel| Stage: Impact |userdel akay - Purpose: Disabling kernel NMI watchdog to hide CPU usage | Tools:
sysctl| Stage: Defense Evasion |sysctl kernel.nmi_watchdog=0 - Purpose: Disabling AppArmor mandatory access control | Tools:
service| Stage: Defense Evasion |service apparmor stop
- Purpose: Initial RCE payload execution via Langflow vulnerability | Tools: