From Langflow to Monero: Inside CVE-2026-33017 Cryptominer

    Wednesday, June 24, 2026 In: Threat Research Print

    Date: 06/24/2026

    Severity: High

    Summary

    We detected a cryptocurrency-mining campaign exploiting CVE-2026-33017, an unauthenticated RCE vulnerability in Langflow. The attack marks a shift in delivery vectors, specifically targeting exposed AI application endpoints. The malware disables host-level security controls, deploys a custom miner, and establishes persistence. It can degrade system performance, increase costs, and lateral move to other systems via reused SSH keys. Organizations should immediately audit Langflow instances for internet exposure and excessive account privileges. To mitigate risks, apply security updates, restrict public access, and treat any compromise as a major incident.

    Indicators of Compromise (IOC) List

    Domains/URLs :

    http://83.142.209.214/status.php

    http://83.142.209.214/setup_status.php

    http://83.142.209.214:8080/isp.sh

    http://83.142.209.214:8080/lambsys

    http://83.142.209.214:8080/ks.tar

    http://94.156.64.241/r.php

    ipinfo.io

    IP Address : 

    34.117.59.81

    Hash : 

    71af8bd9b8019b7e5f460ce4c5c14ff7716a2c2faaaf1f274ceaa54cb89723bc

    33588aa446984d3340cab686d38f2aa85a70eb3f76c459da3eef0304592b99df

    ddde47bf00324075c7eeb0b9d0ff0a5d1b95bfc619aca4b5def85263838212f2

    User-agent : 

    Go-http-client/1.1

    SystemMonitor/6.25.0 (Linux x86_64)

    libuv/1.24.1

    gcc/8.3.0

    Wallet : 

    47VVuaLN6h3DiFjCgHMSBE4m4VMHcoowv2ZGQp4M7hLWNfQKJkjbZT31CsLiouPrvtNRRC7dPXJjDNsfS3bvQPKAEzZYJSw

    File Path : 

    /var/tmp/.xlamb/

    /var/tmp/.xlamb/lambsys

    /var/tmp/init_rmount

    /var/spool/cron/crontabs/user (727 bytes)

    ./.   /.   /procq

    /tmp/.X11-unix/01

    /tmp/.X11-unix/11

    /tmp/.X11-unix/22

    /tmp/.systemd.1

    /tmp/.systemd.2

    /tmp/.systemd.3

    /etc/rcS.d/K01apparmor

    Command : 

    userdel akay

    userdel vfinder

    sysctl kernel.nmi_watchdog=0

    Suricata SID : 

    2024897 (ET USER_AGENTS Go HTTP Client)

    2025331 (ET INFO ipinfo.io in SNI)

    Ports : 

    3333, 4444, 5555, 6666, 7777, 3347, 14444, 14433, 56415, 9999, 13531, 3380

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection 

    Detection Query 1 :

    domainname like "http://83.142.209.214:8080/isp.sh" or url like "http://83.142.209.214:8080/isp.sh" or siteurl like "http://83.142.209.214:8080/isp.sh" or domainname like "http://83.142.209.214/status.php" or url like "http://83.142.209.214/status.php" or siteurl like "http://83.142.209.214/status.php" or domainname like "ipinfo.io" or url like "ipinfo.io" or siteurl like "ipinfo.io" or domainname like "http://83.142.209.214:8080/ks.tar" or url like "http://83.142.209.214:8080/ks.tar" or siteurl like "http://83.142.209.214:8080/ks.tar" or domainname like "http://83.142.209.214/setup_status.php" or url like "http://83.142.209.214/setup_status.php" or siteurl like "http://83.142.209.214/setup_status.php" or domainname like "http://83.142.209.214:8080/lambsys" or url like "http://83.142.209.214:8080/lambsys" or siteurl like "http://83.142.209.214:8080/lambsys" or domainname like "http://94.156.64.241/r.php" or url like "http://94.156.64.241/r.php" or siteurl like "http://94.156.64.241/r.php"

    Detection Query 2 :

    dstipaddress IN ("34.117.59.81") or srcipaddress IN ("34.117.59.81")

    Detection Query 3 :

    sha256hash IN ("71af8bd9b8019b7e5f460ce4c5c14ff7716a2c2faaaf1f274ceaa54cb89723bc","33588aa446984d3340cab686d38f2aa85a70eb3f76c459da3eef0304592b99df","ddde47bf00324075c7eeb0b9d0ff0a5d1b95bfc619aca4b5def85263838212f2")

    Detection Query 4 :

    resourcename = "Windows Security" and eventtype = "4663" and objectname IN ("/var/tmp/.xlamb","/var/tmp/.xlamb/lambsys","/var/tmp/init_rmount","/var/spool/cron/crontabs/%","./.   /.   /procq","/tmp/.X11-unix/01","/tmp/.X11-unix/11","/tmp/.X11-unix/22","/tmp/.systemd.1","/tmp/.systemd.2","/tmp/.systemd.3","/etc/rcS.d/K01apparmor")

    Detection Query 5 :

    technologygroup = "EDR" and objectname IN ("/var/tmp/.xlamb","/var/tmp/.xlamb/lambsys","/var/tmp/init_rmount","/var/spool/cron/crontabs/%","./.   /.   /procq","/tmp/.X11-unix/01","/tmp/.X11-unix/11","/tmp/.X11-unix/22","/tmp/.systemd.1","/tmp/.systemd.2","/tmp/.systemd.3","/etc/rcS.d/K01apparmor")

    Detection Query 6 :

    Resourcename = "Unix" and (processname like "userdel akay" or processname like "userdel vfinder" or processname like "sysctl kernel.nmi_watchdog=0")

    Detection Query 7 :

    technologygroup = "EDR" and (commandline like "userdel akay" or commandline like "userdel vfinder" or commandline like "sysctl kernel.nmi_watchdog=0")

    Reference:    

    https://www.trendmicro.com/en_us/research/26/f/from-langflow-to-monero-inside-cve-2026-33017-cryptominer.html  


    Tags

    VulnerabilityExploitcryptocurrencyCVE-2026AIMoneroLangflow

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.