Threat Research

NATS-as-C2: Inside a new technique attackers are using to harvest cloud credentials and AI API keys

Sysdig
NATS-as-C2: Inside a new technique attackers are using to harvest cloud credentials and AI API keys
Sysdig TRT discovered “NATS-as-C2,” a novel command-and-control approach where the KeyHunter operator used a NATS server to coordinate a credential-harvesting worker after exploiting CVE-2026-33017 in Langflow. The operation also attempted container escape with DirtyPipe and DirtyCreds, validated stolen AWS keys, and targeted cloud and AI credentials from code-sandbox platforms. #KeyHunter #Langflow #CVE-2026-33017 #NATS

Keypoints

  • Sysdig TRT identified a new C2 model dubbed “NATS-as-C2,” where a NATS server at 45.192.109.25:14222 served as the attacker’s coordination plane.
  • The activity was tied to CVE-2026-33017, an unauthenticated RCE in Langflow that was added to the CISA KEV catalog.
  • During the exploit session, the operator at 159.89.205.184 downloaded a Python worker and a Go binary used for credential harvesting and task execution.
  • The KeyHunter worker was designed to scan code-sandbox platforms and validate harvested AWS and AI API keys before reporting results back to the operator.
  • The NATS server enforced ACLs, limiting the worker to result and heartbeat subjects and preventing it from controlling other parts of the bus.
  • The operator also attempted container escape using DirtyPipe and DirtyCreds exploits, but the Go payload panicked and the Python worker remained the active path.
  • The broader campaign included AWS reconnaissance and attempts to use stolen credentials against services such as Bedrock, S3, EC2, Lambda, ECS, and IAM.

MITRE Techniques

  • [T1190 ] Exploit Public-Facing Application – The attacker gained initial access by exploiting Langflow through an unauthenticated RCE endpoint (‘successful unauthenticated RCE via CVE-2026-33017 /api/v1/build_public_tmp//flow’).
  • [T1059.006 ] Command and Scripting Interpreter: Python – The operator wrote and used a Python worker and an ad-hoc enumeration script to test NATS ACL permissions (‘downloaded a Python worker’; ‘import asyncio, nats, json’).
  • [T1059.006 ] Command and Scripting Interpreter: Go – The campaign used a Go binary for worker deployment and execution (‘downloaded … a Go binary’; ‘worker-linux-amd64’).
  • [T1105 ] Ingress Tool Transfer – The attacker downloaded additional tooling from the staging server, including the worker and installer (‘downloaded a Python worker and a Go binary’).
  • [T1106 ] Native API – The worker validated AWS credentials by calling a cloud API directly (‘validate_aws confirms harvested AWS access keys are live by calling sts:GetCallerIdentity via boto3’).
  • [T1082 ] System Information Discovery – The operator enumerated environment and platform details from the compromised target (‘payload dumped the process environment’; ‘leaking a Windows build path in its panic output’).
  • [T1611 ] Escape to Host – The attacker attempted to break out of the container using kernel exploits (‘attempted to escape the container using DirtyPipe and DirtyCreds exploits’).
  • [T1021 ] Remote Services – The operator used authenticated remote communication over a NATS server to task workers and receive results (‘NATS server as C2 infrastructure’; ‘worker subscribe subjects’).
  • [T1547.006 ] Boot or Logon Autostart Execution: Systemd Service – The deploy script installed a systemd unit to keep the worker persistent (‘writes a keyhunter-worker.service systemd unit’; ‘Restart=always’).
  • [T1083 ] File and Directory Discovery – The tooling enumerated platform-specific extraction paths and local project layout (‘source paths in the symbol table’; ‘working tree’).
  • [T1041 ] Exfiltration Over C2 Channel – Captured keys and scan results were reported back over the NATS coordination channel (‘recording … for the operator’; ‘result.scan’).

Indicators of Compromise

  • [IP:Port ] NATS C2 server used for worker coordination – 45.192.109.25:14222
  • [IP:Port ] Staging HTTP server hosting the worker files – 159.89.205.184:8888
  • [IP Address ] Operator / worker activity source and container-escape session – 159.89.205.184
  • [IP Address ] ACL-enforced NATS broker observed in the payload – 45.192.109.25
  • [File ] Go worker binary served from staging – worker-linux-amd64
  • [File ] Python fallback worker script – keyhunter_worker.py
  • [File ] Deployment installer for persistence – deploy.sh
  • [File ] Worker configuration file – worker.yaml
  • [SHA-256 ] Hashes of staged files – dbee863ad2a39f939be2c7ed76f7d5a8fe000aad2d2b2d32b3e8ec3ee42f1c25, 323bbf3064d4b83df7920d752636b1acb36f462e58609a815bd8084d1e6b004c, and 1 more hash

Read more: https://www.sysdig.com/blog/nats-as-c2-inside-a-new-technique-attackers-are-using-to-harvest-cloud-credentials-and-ai-api-keys

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint