Botnet

Volt Typhoon is a Chinese state-sponsored advanced persistent threat (APT) group, also known by aliases such as Vanguard Panda, Bronze Silhouette, Dev-0391, UNC3236, Voltzite, and Insidious Taurus. The group has been active since at least mid-2021 and is primarily focused on targeting U.S. critical infrastructure sectors, including communications, energy, transportation, and water systems. Volt Typhoon’s operations are characterized by stealth, persistence, and a focus on pre-positioning within networks for potential disruptive or destructive attacks, especially in the event of geopolitical tensions or military conflict involving the United States.

A critical vulnerability in Langflow (CVE-2025-3248) is being actively exploited to deploy the Flodrix botnet, marking a significant threat to AI development infrastructure based on the popular product.

The Flodrix botnet is a rapidly evolving piece of malware designed to compromise servers—primarily by exploiting a critical remote code execution (RCE) vulnerability in Langflow, a widely used Python-based AI development framework. Once a vulnerable Langflow server is compromised, Flodrix is installed and establishes communication with its command-and-control (C&C) infrastructure.

The Prometei botnet has experienced a notable resurgence in 2025, particularly with its Linux variant, marking it as a persistent and evolving threat to organizations worldwide. Originally discovered in July 2020 primarily targeting Windows systems, Prometei expanded to Linux in December 2020 and has since continued to evolve both in scope and technical sophistication.

An Operational Relay Box (ORB) network is a sophisticated infrastructure used by cyber threat actors to conduct covert operations, primarily to evade detection, obscure attack origins, and complicate cyber defense efforts. ORB networks are constructed from a mix of compromised devices—such as routers, Internet of Things (IoT) devices, and industrial control systems—and commercially leased virtual private servers (VPS). These devices are often “farmed” by exploiting vulnerabilities in forgotten or unpatched hardware.