
Trend Micro has uncovered an active and sophisticated campaign exploiting a critical remote code execution (RCE) vulnerability in Langflow, a popular open-source framework for building AI applications. The campaign leverages CVE-2025-3248 to deploy the stealthy and evolving Flodrix botnet, capable of reconnaissance, self-deletion, and launching diverse DDoS attacks.
Langflow, used by tens of thousands of developers to visually prototype intelligent systems, was found vulnerable in versions prior to v1.3.0. The flaw resided in the /api/v1/validate/code endpoint, which allowed unauthenticated users to execute arbitrary Python code on exposed servers.
“Langflow does not enforce input validation or sandboxing… these payloads are compiled and executed within the server’s context, leading to RCE,” the report warns.

Attackers exploited this weakness by submitting malicious POST requests that embedded shell commands inside Python decorators or default argument values.
For example:
This would execute system-level commands and leak the results to a command-and-control (C&C) server.
After gaining remote shell access, attackers downloaded a bash-based loader script named “docker”, which fetched and deployed a new malware variant known as Flodrix. This botnet appears to be a descendant of the LeetHozer family, but with new tricks.
“This variant employs multiple stealth techniques, including self-deletion and artifact removal… and uses string obfuscation to conceal command-and-control addresses,” the report explains.
Once executed, Flodrix:
- Establishes C&C communication over TCP and Tor
- Performs environment reconnaissance and dumps variables
- Enumerates and kills processes like watchdog, busybox, and suspicious /tmp scripts
- Launches DDoS attacks using methods like tcpraw, udpplain, handshake, and ts3
The malware self-deletes after installation, only persisting if it receives the correct parameters.
Flodrix uses an XOR-based decryption routine (qE6MGAbI) to decode command instructions and network details. It even checks for .system_idle hidden files to detect prior infections and avoid reinfection.
Notably, it forks child processes with fake names to evade detection, logs its own PID, and sends structured “KILLDETAIL” messages over UDP to its C&C when suspicious processes are terminated.
“This routine not only prevents duplicate or conflicting instances… but also provides a self-termination or cleanup mechanism,” the report states.
Trend Micro observed that attackers leveraged Shodan and FOFA to identify publicly exposed Langflow servers. They then used a public PoC from GitHub to exploit the systems and deploy the malware.
The malware is evolving rapidly, with newer versions supporting encrypted DDoS configurations, expanded attack vectors, and enhanced evasion techniques.
Related Posts:
- Critical Vulnerability Exposes Langflow Servers to Full Compromise
- Langflow Under Attack: CISA Warns of Active Exploitation of CVE-2025-3248
- Black Basta Ransomware Group Elevates Social Engineering with Microsoft Teams and Malicious QR Codes
- Attacker use DDoS attack to hit three major Dutch banks
- Suspected CoralRaider Expands Attacks, Targets Diverse Victims with Triple-Threat Infostealer Campaign