Cybersecurity researchers have paid attention to a new company that actively exploits the recently disclosed critical security lack in Langflow to deliver Flodrix Batnet malicious software.
“Attackers use vulnerability to perform boot scenarios on compromised Langflow servers, which in turn – Note In a technical report published today.
Activities entails operating Cve-2025-3248 (CVSS assessment: 9.8), lack of authentication vulnerability Debt.
Successful lack of lack can allow an unauthorized attacker to perform an arbitrary code using the developed HTTP requests. It was secured by Langflow in March 2025 with version 1.3.0.
Last month, the US Cybersecurity Agency (CISA) named Active Operation CVE-2025-3248 in the wild, and the Sans Institute of Technology shows that it has revealed attempts to operate against its Honeypot servers.
Latest conclusions Trend Micro Show that threatening subjects are targeted Publicly available Concept check code (POC) for exploration and refusal to download the shell, which is responsible for receiving and performing malicious Flodrix Botnet software with “80.66.75 () 121: 25565.”
After installing FLODRIX set a connection with a remote server to receive commands over TCP to launch common service refusal attacks (DDOS) on target IP addresses of interest. Botnet also supports connections over the Tor anonymity network.
“Since Langflow does not perform an input or sandbox check, these useful loads are composed and performed in the context of the server, leading to (removed removed code),” the researchers said. “Based on these stages, the attacker probably profiles all vulnerable servers and uses the data collected to identify high -value goals for future infections.”
Trend Micro said he identified unknown threats that take different download scenarios on the same hosts used to obtain FLODRIX, believing that the company is actively developing.
Flodrix is evaluated as the evolution of another botten called Leetozer This is due to Sheron. The advanced option includes the ability to remove itself, minimize judicial traces and complicate the analysis efforts by firing server and control addresses (C2) and other important indicators.
“Another significant change is the introduction of new types of DDOS attacks, which are now also encrypted, adding another layer of aggravation,” said Trend Micro. “The new sample also noticeably lists running processes by opening /Proc to access all launch processes.”
