The Flodrix botnet is a rapidly evolving piece of malware designed to compromise servers—primarily by exploiting a critical remote code execution (RCE) vulnerability (CVE-2025-3248) in Langflow, a widely used Python-based AI development framework. Once a vulnerable Langflow server is compromised, Flodrix is installed and establishes communication with its command-and-control (C&C) infrastructure, enabling the attackers to:
• Launch distributed denial-of-service (DDoS) attacks against chosen targets
• Conduct extensive reconnaissance on infected systems
• Potentially exfiltrate sensitive information from compromised hosts
Flodrix is notable for its advanced evasion techniques, including self-deletion, artifact removal, string obfuscation, and the use of encrypted communications, making it difficult for defenders to detect and analyze.
History of the Flodrix Botnet
• April 2025: The critical vulnerability (CVE-2025-3248) in Langflow is disclosed and patched in version 1.3.0, but many servers remain unpatched and exposed.
• May 2025: Public proof-of-concept (PoC) exploits for the vulnerability emerge, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds the flaw to its Known Exploited Vulnerabilities catalog.
• May–June 2025: Active exploitation begins. Attackers scan the internet for vulnerable Langflow instances, use PoC exploits to gain shell access, and deploy the Flodrix malware.
• June 2025: Security researchers (notably from Trend Micro) document the campaign, confirming that Flodrix is being actively developed, with new downloader scripts and features appearing rapidly.
Technical Roots
Flodrix is assessed to be an evolution of the LeetHozer malware family, which was previously analyzed by Chinese security firm Qihoo 360 in 2020. The Flodrix variant incorporates new features such as enhanced stealth, encrypted DDoS attacks, and improved process enumeration and termination routines.
Who Runs the Flodrix Botnet?
As of June 2025, the operators behind Flodrix remain unidentified. Security researchers have not attributed the campaign to any known threat actor with high confidence. However, several clues are available:
• The infrastructure hosting downloader scripts for Flodrix is shared among multiple campaigns, suggesting an organized and active development effort.
• Flodrix is linked to the Moobot group through its lineage with LeetHozer, but direct attribution to a specific group or individual has not been established.
• The campaign displays characteristics of profit-driven cybercriminal operations, focusing on DDoS-for-hire and mass exploitation of vulnerable servers.