Vercara’s Open-Source Intelligence (OSINT) Report – June 13 – June 19, 2025

New Flodrix Botnet Variant Exploits Langflow AI Server RCE Bug to Launch DDoS Attacks

(TLP: CLEAR) Recent intelligence reporting highlights the discovery of a malicious cyber campaign exploiting CVE-2025-3248, a critical remote code execution flaw (CVSS 9.8) in a Python-based AI application framework called Langflow in order to deploy the Flodrix botnet. The bug, patched back in March 2025, allows unauthenticated attackers to deliver shell-based downloader scripts via crafted HTTP requests, enabling Flodrix installation on unpatched servers. Security researchers indicate that threat actors use publicly available PoC code to target exposed Langflow instances, downloading malware from 80.66.75[.]121:25565. Once deployed, Flodrix connects to a command and control (C2) server over TCP and TOR, enabling distributed denial of service (DDoS) attacks and remote control of compromised systems. Furthermore, the malware executes within the server’s context due to Langflow’s lack of input validation and sandboxing. Flodrix, believed to be a LeetHozer evolution tied to Moobot, includes upgrades such as encrypted DDoS modules, process enumeration via /proc access, self-removal capabilities, and C2 obfuscation to hinder analysis. Security analysts suggest that the same host serves multiple payloads, signaling active campaign development. Additionally, a misconfigured Flodrix C2 server exposing portmapper and NFS shares that identified 745 compromised hosts (mostly internet-connected cameras in Taiwan and the U.S.) was later discovered, also confirming Arm-specific malware binaries were used in the campaign.

(TLP: CLEAR) Comments: The exploitation of CVE-2025-3248 in Langflow to deploy the Flodrix botnet highlights ongoing targeting of AI development tools with poor input validation and sandboxing. Notably, the use of Arm-targeted binaries and the high infection rate among internet-connected cameras in Taiwan and the U.S. suggests a deliberate focus on IoT infrastructure. The exposed portmapper and NFS shares on the C2 server indicate operational missteps by the threat actors but also provide rare visibility into campaign scope and tooling. The evolution from LeetHozer to Flodrix reflects continued investment in stealth and DDoS capabilities, warranting continuous and close monitoring for further potential variants.

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) DE.CM-01: “Networks and network services are monitored to find potentially adverse events”. One of the ways to detect phishing, malware droppers, and command and control (C2) is at the network level. Intrusion Detection Systems (IDS), Intrusion Detection Systems (IPS), and next-generation firewalls can be used with a protective DNS solution to detect these malicious activities as they traverse the network, even if the initial infection occurs via physical media or on another network such as a hotel or airport. Critical Infrastructure and Security Agency (CISA), FBI, and Multi-State ISAC publication “Understanding and Responding to Distributed Denial-of-Service Attacks”: “Develop an organization DDoS response plan. The response plan should guide your organization through identifying, mitigating, and rapidly recovering from DDoS attacks. All internal stakeholders—including your organization’s leaders and network defenders—and service providers should understand their roles and responsibilities through all stages of a DDoS attack. At a minimum, the plan should include understanding the nature of a DDoS attack, confirming a DDoS attack, deploying mitigations, monitoring and recovery.

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), filters internal DNS responses from users as well as machines using both defined categories including botnet Command and Control (C2) as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation. Vercara’s DDoS Solution, Vercara UltraDDoS Protect can detect DDoS attacks and scrub your internet traffic through countermeasures, processes, and practices that are built upon more than 20 years of expertise in thwarting threats, delivered through a carrier-grade global infrastructure that has been engineered to provide the highest standards of availability, reliability, and scale.

Source: https://thehackernews.com/2025/06/new-flodrix-botnet-variant-exploits.html

CISA Warns of Active Exploitation of Linux Kernel Privilege Escalation Vulnerability

(TLP: CLEAR) The Cybersecurity and Infrastructure Security Agency (CISA) has issued a directive urging U.S. federal agencies to remediate CVE-2023-0386, a high-severity Linux kernel vulnerability in the OverlayFS subsystem that enables local attackers to escalate privileges to root. The flaw, stemming from improper ownership management during file copying between mounts, was patched in January 2023 and impacts major Linux distributions running kernel versions below 6.2, including Debian, Red Hat, Ubuntu, and Amazon Linux. Public proof-of-concept (PoC) exploits released since May 2023 have made this bug trivial to exploit, prompting its addition to CISA’s Known Exploited Vulnerabilities catalog. In line with BOD 22-01, federal agencies must patch affected systems by July 8. CISA emphasized that this vulnerability is actively exploited and represents a serious risk to federal networks. Separately, security researchers also demonstrated root access on multiple distros via CVE-2025-6019, another OverlayFS vulnerability, highlighting continued exposure in user-space privilege escalation. That said, threat actors can now exploit two additional LPE vulnerabilities to gain root: CVE-2025-6018, a PAM misconfiguration on openSUSE Leap 15 and SUSE Linux Enterprise 15, and CVE-2025-6019, a flaw in libblockdev that allows users with “allow_active” privileges to escalate via the udisks daemon, which is installed by default on most Linux systems. It was later confirmed that root privilege compromise across Ubuntu, Debian, Fedora, and openSUSE was obtained by using a chained local-to-root exploit.

(TLP: CLEAR) Comments: The inclusion of CVE-2023-0386 in CISA’s Known Exploited Vulnerabilities catalog confirms active exploitation of a long-patched yet highly impactful Linux OverlayFS flaw, underscoring persistent gaps in patch management across enterprise and federal environments. The flaw’s trivial exploitation, widespread distribution impact, and availability of public PoC code significantly lower the barrier for threat actors. Additionally, Qualys’ discovery of CVE-2025-6019 in the same subsystem highlights the OverlayFS attack surface as an ongoing privilege escalation vector that warrants elevated scrutiny and prioritized hardening across Linux architecture and system deployments.

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity PCI-DSS V4.0 Section 6.4.2: “For public-facing web applications, an automated technical solution is deployed that continually detects and prevents web-based attacks, with at least the following:

• Is installed in front of public-facing web applications and is configured to detect and prevent web-based attacks.

• Actively running and up to date as applicable.

• Generating audit logs.

• Configured to either block web-based attacks or generate an alert that is immediately investigated.

(TLP: CLEAR) Vercara: Vercara’s Web Application Firewall, UltraWAF, equips your company with adaptable security features to counteract the most significant network and application-layer threats, including SQL injection, XSS, and DDoS attacks. It’s always-on security posture, combined with cloud-based scalability, ensures comprehensive protection against the OWASP top 10, advanced bot management, and vulnerability scanning, allowing you to effectively shield your critical and customer-facing applications from emerging threats. Source: https://www.bleepingcomputer.com/news/security/cisa-warns-of-attackers-exploiting-linux-flaw-with-poc-exploit/

New Malware Campaign Uses Cloudflare Tunnels to Deliver RATs via Phishing Chains

(TLP: CLEAR) Recent intelligence reporting highlights a sophisticated phishing campaign dubbed “SERPENTINE#CLOUD” that is actively exploiting Cloudflare Tunnel subdomains to deliver memory-injected payloads through multilayered infection chains, leveraging Python-based loaders and shortcut files disguised as legitimate documents. According to reporting, the campaign begins with invoice-themed phishing emails linking to ZIP archives that contain LNK shortcut files, triggering a sequence of obfuscated scripts and stagers. These retrieve a WSF loader script from a WebDAV share hosted on a Cloudflare subdomain (*.trycloudflare[.]com), which executes using cscript.exe to deploy the primary payload via the Donut loader which is entirely in memory. The attack culminates in in-memory execution of remote access trojans such as AsyncRAT and Revenge RAT, while also displaying decoy PDFs and performing AV checks to evade detection. Researchers suggest the loader’s clean syntax and comments may have been generated using a large language model, indicating evolving tradecraft. The use of Cloudflare’s TryCloudflare tunnel infrastructure grants the attackers disposable encrypted transport channels that obfuscate command and control (C2) communication that bypass traditional detection methods without requiring VPS rentals or domain registrations. Similarities were later revealed to that of a distinct malware campaign dubbed “Shadow Vector” targeting Colombian users with SVG-based phishing lures delivering JavaScript and VBS stagers through embedded SVG links. The SVG payloads are often hosted on platforms like Dropbox, Bitbucket, or Discord and initiate modular, in-memory loaders linked to Brazilian malware toolkits, indicating either cross-regional actor collaboration or code reuse. Meanwhile, drive-by compromises are on the rise through ClickFix-style social engineering attacks that embed malware in CAPTCHA or “fix-it” flows, accounting for 23% of phishing-based tactics between March and May 2025. These chains often deploy stealers like Lumma or remote access trojans using base64-encoded image files hosted on the Internet Archive, tricking users into executing the payloads themselves under the guise of routine actions.

(TLP: CLEAR) Comments: The SERPENTINE#CLOUD campaign exemplifies how threat actors are weaponizing trusted infrastructure—specifically Cloudflare Tunnel subdomains—to obfuscate payload delivery and evade network-based detection. Its use of LNK and WSF-based loaders, in-memory execution via Donut, and possible LLM-generated code reflects a blend of social engineering, stealth, and technical refinement. The pivot to modular, fileless payloads and disposable transport channels highlights a growing trend toward low-footprint persistence. In parallel, SVG smuggling and ClickFix techniques emphasize the shift toward exploiting user behavior over software vulnerabilities, reinforcing the need for advanced email filtering, behavioral monitoring, and user awareness.

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.PS-05: “Installation and execution of unauthorized software are prevented”. By enforcing a content filtering policy to block typical software download sites in addition to hacker tools and P2P services, organizations reduce the amount of malware and trojan horses that are introduced into their organization unknowingly by their users. This can be done via a protective DNS or forward web proxy solution with website categories feeds.

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), enforces malware filtering as a network service using 4 distinct malware detection engines, including a dynamic decision engine that compares domain details, DNS query details, query answers, and other data points to determine if a domain is malicious before endpoints can be infected by them.

Source: https://thehackernews.com/2025/06/new-malware-campaign-uses-cloudflare.html

Iran Slows Internet to Prevent Cyber Attacks Amid Escalating Regional Conflict

(TLP: CLEAR) Iran has deliberately restricted its national internet access following an unprecedented Israeli air strike, claiming the measure is a temporary and targeted attempt to maintain network stability and repel cyberattacks. The move coincides with escalating cyber and kinetic exchanges, including retaliatory digital operations from both nation-states and hacktivist groups. Iranian officials attributed the disruption to cyber defense needs, while open-source reporting indicated significant drop in traffic. At the center of the cyber conflict is the pro-Israel group Predatory Sparrow, which recently claimed responsibility for attacks on Iran’s Bank Sepah and Nobitex crypto exchange, citing ties to terrorism financing and sanction evasion. The Nobitex breach reportedly resulted in up to $100 million in digital asset losses across multiple blockchains. Threat actors used cryptographic vanity addresses that burned stolen funds, signaling a politically motivated operation rather than the typical financial theft. The source code of Nobitex was later leaked, compounding the exchange’s operational strain amid national connectivity issues. Meanwhile, Iranian state-linked groups like Cyber Av3ngers, associated with the IRGC Cyber-Electronic Command, have been accused by the U.S. of targeting global critical infrastructure using the IOCONTROL malware. The Iranian government has also warned citizens against using WhatsApp, accusing the platform of being a tool for Israeli surveillance—claims Meta has firmly denied. Simultaneously, groups like Mysterious Team Bangladesh and Arabian Ghost are threatening regional actors aligned with Israel and have claimed responsibility for targeting Israeli media assets. This cyber escalation, which now coupled with cryptocurrency sabotage, distributed denial of service (DDoS) attacks, propaganda campaigns, and ICS targeting, underscores a broader digital proxy war where offensive cyber operations are tightly coupled with geopolitical conflict.

(TLP: CLEAR) Comments: Iran’s decision to throttle national internet access in response to escalating conflict with Israel underscores how state-level actors increasingly integrate network disruption as a defensive cyber strategy. While officially framed as a stability measure, the move likely aims to disrupt foreign cyber operations and limit internal dissent or information flow. Additionally, the coordinated activity by groups like Predatory Sparrow and Cyber Av3ngers illustrates a rapidly intensifying hybrid threat environment, where geopolitical tensions manifest through simultaneous kinetic strikes and advanced cyber operations targeting financial, infrastructure, and civilian sectors. Cyber Av3ngers and similar groups frequently deploy DDoS as a disruption tool, aiming to degrade the availability of media outlets, financial institutions, and government services—fitting into a broader strategy of digital destabilization during conflict.

(TLP: CLEAR) Recommended best practices/regulations: Critical Infrastructure and Security Agency (CISA) publication “VOLUMETRIC DDOS AGAINST WEB SERVICES TECHNICAL GUIDANCE”: “Agencies should select a provider that has the capacity to scale and withstand large volumetric DDoS attacks. Agencies should also understand their role and the role of the provider if targeted by a DDoS attack. Note the two consumption models previously identified for DDoS mitigation services – always-on and on-call/on-demand. In an always-on model, all traffic always passes through the mitigation provider’s service (which may add latency if the distance between the customer internet circuit and mitigation service are high). Always-on can provide instant protection, but agencies should always validate time-to-mitigation of any proposed solution. The on-demand consumption model only sends traffic to scrubbing centers when directed to do so via human intervention during an attack. Agencies must communicate with their provider to understand which protections are available, the protections that are included in the existing contracts, and those offered à la carte. For services that require manual activation, agencies must understand each organization and individual’s roles, as well as develop, maintain, and test the activation procedures for best response.”

(TLP: CLEAR) Vercara: Vercara’s DDoS Solution, Vercara UltraDDoS Protect, provides flexible, automated, and always-on protection across 15 Points of Presence (PoPs) and >15Tbps of DDoS mitigation capacity to enable customer availability and performance under even the largest and most complex DDoS attacks (layer 3 through layer 7). An automated intelligence feed that is constantly updating mitigation devices allows protection against emerging attack vectors and common attack sources.

Source: https://thehackernews.com/2025/06/iran-restricts-internet-access-to.html

Telecom Giant Viasat Breached by China’s Salt Typhoon

(TLP: CLEAR) Satellite communications provider Viasat has confirmed it was targeted by China’s state-sponsored cyber-espionage group Salt Typhoon, which has a long track record of breaching telecom infrastructure across the U.S. and globally. Viasat, which serves military, government, aviation, maritime, and enterprise clients and maintains nearly 189,000 broadband subscribers in the U.S., disclosed that the breach stemmed from unauthorized access via a compromised device. While no customer impact has been confirmed, the company engaged federal authorities and third-party cybersecurity experts to investigate and remediate the intrusion. Salt Typhoon—active since at least 2019—was also behind a wave of breaches between December 2024 and January 2025 targeting unpatched Cisco IOS XE devices across telecom networks worldwide. The group’s past intrusions have included access to U.S. law enforcement wiretap systems and private communications of government officials. The breach follows a previous Viasat compromise by Russian hackers in 2022, who deployed AcidRain malware to wipe modems on the KA-SAT satellite service just before the Ukraine invasion, impacting thousands of users across Europe. As of this month, CISA, NSA, and the FBI have attributed Salt Typhoon activity to confirmed breaches at major providers including AT&T, Verizon, Lumen, Charter, Windstream, Consolidated Communications, Comcast, and Digital Realty, highlighting the group’s continued focus on deeply embedded telecom infrastructure and surveillance capabilities.

(TLP: CLEAR) Comments: Although Viasat reported no direct customer impact, the use of a compromised network device aligns with Salt Typhoon’s known exploitation of unpatched Cisco IOS XE systems, highlighting persistent supply chain and infrastructure-layer vulnerabilities. The group’s prior access to U.S. wiretap systems and private communications suggests a focus not just on data collection but on surveillance at scale. Given Viasat’s role in defense and satellite communications, this incident raises concerns about lateral movement into sensitive environments.

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency Selecting a Protective DNS (PDNS) Service: “The Domain Name System (DNS) is central to the operation of modern networks, translating human-readable domain names into machine-usable Internet Protocol (IP) addresses. DNS makes navigating to a website, sending an email, or making a secure shell connection easier, and is a key component of the Internet’s resilience. As with many Internet protocols, DNS was not built to withstand abuse from bad actors’ intent on causing harm. ‘Protective DNS’ (PDNS) is different from earlier security-related changes to DNS in that it is envisioned as a security service – not a protocol – that analyzes DNS queries and takes action to mitigate threats, leveraging the existing DNS protocol and architecture.”

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses a multi-petabyte data lake filled with DNS query history and indicators of compromise from multiple Cyber Threat Intelligence (CTI) data feeds to correlate an incoming DNS query in real-time with previously observed malicious activity. This ensures that users and devices only go to safe, policy-compliant Internet locations.

Source: https://www.bleepingcomputer.com/news/security/telecom-giant-viasat-breached-by-chinas-salt-typhoon-hackers/