SaaS-Style Cybercrime: Attackers Weaponize Langflow RCE and NATS Messaging for Ultra-Scalable C2

A sophisticated new command-and-control (C2) technique has emerged, revealing threat actors who operate more like modern SaaS providers than traditional malware distributors.

Recently, the Sysdig Threat Research Team (TRT) uncovered an advanced attack campaign that ditches conventional HTTP panels and chat apps in favor of enterprise-grade distributed messaging. By weaponizing a NATS server, attackers have created a highly resilient, scalable, and operationally secure infrastructure.

“The Sysdig TRT has dubbed this technique ‘NATS-as-C2,'” the researchers stated. Rather than relying on traditional methods, the threat actors leveraged infrastructure commonly associated with modern distributed systems.

The attack chain begins with AI tooling. The Sysdig TRT traced the malicious activity to an active exploitation attempt targeting CVE-2026-33017. This unauthenticated remote code execution (RCE) vulnerability in the Langflow visual-flow platform was added to the CISA KEV catalog on March 25, 2026.

During a 30-minute window of hands-on-keyboard activity, an operator operating from a DigitalOcean IP (159.89.205.184) downloaded both a Python worker and a Go binary to the compromised instance. The attackers then aggressively attempted to break out of the containerized environment using known Linux privilege escalation exploits, specifically DirtyPipe and DirtyCreds.

While Sysdig was able to capture the payload, the real revelation was the attacker’s coordination plane: an authenticated, ACL-enforced NATS server hosted at 45.192.109.25:14222.

Using a native pub/sub message broker grants the attackers massive architectural advantages:

• Horizontal Scaling & OPSEC: Messages like result.scan can reach every aggregator on the network without individual workers ever needing to enumerate their peers. This keeps the overall botnet topology hidden even if a single worker node is captured.
• Durability & Auth: The setup utilizes native TLS and nkey authentication, while leveraging JetStream to provide durable queues. This means a malicious worker can drop offline and reconnect later without losing its assigned tasks or stolen data.

The researchers noted several specific NATS publish subjects under the worker’s ACL, such as heartbeat.worker, scan.result, and keyhunter.result.

“The technical bar to operate NATS-as-C2 infrastructure is meaningfully higher than running a Flask panel,” the Sysdig TRT report emphasized. “The operator at 159.89.205.184 is closer to running a small SaaS than the script kits that are often seen in credential harvesting botnets.”

To defend against this highly scalable threat, network and security administrators should take immediate action:

• Patch AI Tooling: Immediately update Langflow to a version that patches CVE-2026-33017, as the unauthenticated nature of the vulnerable endpoint makes mass scanning trivial.
• Lock Down Egress: Platforms like Langflow and n8n typically only need outbound access to specific database or LLM endpoints. Egress allowlisting is critical, as broad outbound access gives malicious workers the exact channel they need to phone home to a NATS broker.
• Block Known IOCs: Block outbound traffic to the known malicious endpoints: 45.192.109.25:14222 and 159.89.205.184:8888.
• Rotate Secrets: Any API keys (AWS, OpenAI, Anthropic, Hugging Face) that were reachable from a vulnerable Langflow instance must be rotated immediately, as the captured worker malware was observed validating these credentials in real-time.