EXECUTIVE SUMMARY:
A cryptocurrency-mining campaign has been observed exploiting CVE-2026-33017 and CVE-2025-3248, unauthenticated remote code execution vulnerabilities affecting exposed application infrastructure. The activity demonstrates how attackers are increasingly targeting internet-facing services and artificial intelligence application environments as entry points into enterprise networks. By abusing vulnerable public endpoints, threat actors can gain initial access, execute arbitrary commands, and deploy cryptomining malware that consumes system resources while creating opportunities for broader network compromise.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A cryptocurrency-mining campaign has been observed exploiting CVE-2026-33017 and CVE-2025-3248, unauthenticated remote code execution vulnerabilities affecting exposed application infrastructure. The activity demonstrates how attackers are increasingly targeting internet-facing services and artificial intelligence application environments as entry points into enterprise networks. By abusing vulnerable public endpoints, threat actors can gain initial access, execute arbitrary commands, and deploy cryptomining malware that consumes system resources while creating opportunities for broader network compromise.[emaillocker id="1283"]
The attack chain begins with exploitation of the vulnerable build_public_tmp API endpoint, which improperly processes attacker-controlled flow data containing executable Python code. Successful exploitation enables remote code execution without authentication, allowing attackers to download and execute malicious shell scripts and payloads on affected systems. The deployed malware establishes persistence, terminates competing cryptocurrency miners, disables host security mechanisms, and initiates Monero mining operations. In addition, the malware attempts lateral movement by harvesting and reusing SSH keys, trusted host information, and authentication artifacts to spread across connected Linux systems. This worm-like behavior transforms a single compromised AI application server into a foothold for wider infrastructure compromise.
This campaign highlights the growing security risks associated with exposed AI application platforms and demonstrates how quickly threat actors weaponize newly disclosed vulnerabilities. Beyond unauthorized cryptocurrency mining, successful exploitation can lead to resource exhaustion, increased operational costs, credential exposure, and lateral movement across enterprise environments. Organizations should prioritize remediation of vulnerable Langflow instances, restrict unnecessary public access, review privileged service configurations, and investigate any indicators of compromise as potential security incidents requiring immediate response.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Reconnaissance | T1595.002 | Active Scanning | Vulnerability Scanning |
| Resource Development | T1588.002 | Obtain Capabilities | Tool |
| Initial Access | T1190 | Exploit Public-Facing Application | — |
| Execution | T1059.004 | Command and Scripting Interpreter | Unix Shell |
| T1059.006 | Python | ||
| T1106 | Native API | — | |
| T1053.003 | Scheduled Task/Job | Cron | |
| Persistence | T1543.004 | Create or Modify System Process | Launch Daemon |
| Stealth | T1027.002 | Obfuscated Files or Information | Software Packing |
| T1036.005 | Masquerading | Match Legitimate Resource Name or Location | |
| T1070.004 | Indicator Removal | File Deletion | |
| T1140 | Deobfuscate/Decode Files or Information | — | |
| T1564.001 | Hide Artifacts | Hidden Files and Directories | |
| T1574.006 | Hijack Execution Flow | Dynamic Linker Hijacking | |
| Credential Access | T1552.004 | Unsecured Credentials | Private Keys |
| Discovery | T1016.001 | System Network Configuration Discovery | Internet Connection Discovery |
| T1057 | Process Discovery | — | |
| T1082 | System Information Discovery | — | |
| T1083 | File and Directory Discovery | — | |
| T1614.001 | System Location Discovery | System Language Discovery | |
| Lateral Movement | T1021.004 | Remote Services | SSH |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| T1105 | Ingress Tool Transfer | — | |
| T1132.001 | Data Encoding | Standard Encoding | |
| Exfiltration | T1020.001 | Automated Exfiltration | Traffic Duplication |
| Impact | T1496.001 | Resource Hijacking | Compute Hijacking |
| T1531 | Account Access Removal | — |
MBC MAPPING:
| Objective | Behaviour ID | Behaviour |
| Anti-Behavioral Analysis | B0007 | Sandbox Detection |
| Anti-Static Analysis | E1027 | Obfuscated Files or Information |
| Collection | E1056 | Input Capture |
| F0002 | Keylogging | |
| E1113 | Screen Capture | |
| Command and Control | B0030 | C2 Communication |
| B0031 | Domain Name Generation | |
| E1105 | Ingress Tool Transfer | |
| Defense Evasion | F0004 | Disable or Evade Security Tools |
| F0005 | Hidden Files and Directories | |
| F0007 | Self Deletion | |
| F0015 | Hijack Execution Flow | |
| Discovery | B0013 | Analysis Tool Discovery |
| E1082 | System Information Discovery | |
| E1083 | File and Directory Discovery | |
| Execution | B0011 | Remote Commands |
| B0025 | Conditional Execution | |
| E1059 | Command and Scripting Interpreter | |
| Impact | B0033 | Denial of Service |
| E1486 | Data Encrypted for Impact | |
| B0018 | Resource Hijacking | |
| Lateral Movement | B0026 | Malicious Network Driver |
| Persistence | F0012 | Registry Run Keys / Startup Folder |
| B0035 | Shutdown Event | |
| F0013 | Bootkit | |
| Privilege Escalation | F0010 | Kernel Modules and Extensions |
| E1055 | Process Injection | |
| Cryptography Micro-objective | C0029 | Cryptographic Hash |
| Data Micro-objective | C0026 | Encode Data |
| C0030 | Non-Cryptographic Hash | |
| C0032 | Checksum | |
| File System Micro-objective | C0047 | Delete File |
| C0045 | Copy File | |
| C0052 | Writes File | |
| C0051 | Read File | |
| C0046 | Create Directory | |
| Process Micro-objective | C0017 | Create Process |
| C0018 | Terminate Process | |
| C0038 | Create Thread | |
| C0064 | Enumerate Threads | |
| C0065 | Open Process |
REFERENCES:
The following reports contain further technical details:
[/emaillocker]