A new variant of the Flodrix botnet has entered the scene, and it’s taking aim at poorly secured open-source tools with an unusual level of stealth and versatility.
The newest Flodrix variant builds on the same old principles: find vulnerable software, exploit it for remote access, and quietly conscript the machine into a global network of bots. But the toolkit is evolving fast. We’re now seeing DDoS malware equipped with encrypted C2 channels, automatic update systems, and cross-architecture payloads designed for scale.
Who’s the latest Flodrix target?
This latest campaign targets Langflow, a Python-based platform used to build LLM-powered applications. The vulnerability it exploits, CVE‑2025‑3248, allows unauthenticated attackers to run arbitrary code through a debug API, a simple misconfiguration with outsized consequences.
How does Flodrix attack?
The infection chain begins with internet-wide scans looking for Langflow instances with exposed developer endpoints. Attackers use publicly available exploits – often shared on GitHub within days of a CVE being published – to send crafted payloads that abuse Python’s abstract syntax tree parser, which in turn leads to full code execution.
From there, a downloader script connects to an IP address hardcoded in the exploit chain, which fetches a compiled binary tailored to the victim’s architecture, whether ARM, MIPS, or x86. Once executed, this payload installs the Flodrix botnet client and begins its silent operations.
What sets this Flodrix variant apart?
1. Multi-protocol C2 communication
Unlike simpler botnets, Flodrix communicates over both TCP and UDP, and even includes optional support for routing through the Tor network. This complicates detection, as traffic may appear innocuous or bypass standard firewall rules.
2. Encrypted payloads and obfuscation
Strings inside the binary are XOR-encrypted (key: qE6MGAbI), which hides configuration data like C2 IPs and attack instructions. Basic static analysis won’t reveal much.
3. Process enumeration and targeting
Once active, Flodrix combs through /proc to identify running processes and services. It may terminate known daemons or resource-intensive processes, reporting this back to its controller via an encrypted message format (KILLDETAIL|…).
4. Self-deletion and evasion
The malware can delete itself after execution if no valid arguments are provided, removing evidence from the infected system. It also clears installation traces, log entries, and temporary files.
5. DDoS attack modes
It supports a wide range of encrypted DDoS vectors, including:
* tcpraw
* udpplain
* handshake
* tcplegit
* ts3 (TeamSpeak-based flooding)
Each mode targets different layers and protocols, enabling attackers to bypass traditional filtering methods.
Who’s being targeted by Flodrix?
So far, most infections have occurred in Asia and North America, according to Censys data. Over 700 IPs have been flagged as compromised, many of them IoT devices and embedded systems running vulnerable configurations of Langflow or exposed container services.
This botnet appears to be architecture-agnostic. Its binaries are compiled for multiple chipsets, including ARM variants found in routers, DVRs, and NAS units. That’s a clear indicator of how attackers are looking for broad coverage, not just traditional servers.
How does Flodrix fit into the bigger picture?
If the original Flodrix strain was a basic DDoS tool, this variant looks like a full-fledged platform. It borrows ideas from earlier families like Moobot and LeetHozer, while adding its own refinements in obfuscation, modularity, and adaptability.
We’re seeing a clear shift in botnet design:
* Less visibility: Through encrypted traffic and stealthy execution.
* More automation: Infection, update, and execution steps are tightly scripted.
* Greater reach: With binaries built for everything from home routers to public cloud instances.
This mirrors what we saw after Mirai’s codebase was leaked – a spike in derivative projects and more hands on the tooling. But Flodrix isn’t just another clone. It shows an understanding of how to blend into cloud environments and sidestep modern defences.
What are defenders up against?
In practical terms, detection and mitigation become more complex when:
* The malware deletes itself after execution.
* Communication is encrypted or routed through Tor.
* Target devices are under-monitored or run default configurations.
* Attack traffic mimics legitimate services or leverages rarely filtered protocols.
Flodrix also reflects the growing use of open-source software as an attack vector. While Langflow isn’t inherently insecure, misconfigured deployments – especially those exposing developer interfaces – are proving to be fertile ground for attackers.
What should network engineers look for?
A few indicators may help identify compromised systems or attack attempts:
* Unusual outbound UDP/TCP traffic on non-standard ports.
* Devices connecting to IPs like 80.66.75[.]121:25565.
* Short-lived processes executing shell scripts or unknown binaries.
* POST requests to /api/v1/validate/code with embedded Python payloads.
If you’re running Langflow or similar tools in production, make sure developer endpoints are disabled or properly secured. Even better, isolate those environments from public access altogether.
Looking ahead
The Flodrix case shows just how quickly botnets evolve when new exploits emerge. Within weeks of CVE-2025-3248’s disclosure, attackers had weaponised it, deployed infrastructure, and begun real-world attacks, showing us once again that modern botnets aren’t static threats. On the contrary, they’re adaptive, opportunistic, and increasingly modular. As defenders, we need to watch both the tools and the terrain.
About FastNetMon
FastNetMon is a leading solution for network security, offering advanced DDoS detection and mitigation. With real-time analytics and rapid response capabilities, FastNetMon helps organisations protect their infrastructure from evolving cyber threats.
For more information, visit https://fastnetmon.com