nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

Threat Actors Adopt NATS Messaging Infrastructure for Covert C2

Du'aine Davis · 2026-05-15T11:00:33+00:00

Observed in the wild * In May, Sysdig identified a campaign centred on a new command-and-control technique, where attackers used NATS messaging servers as C2 infrastructure after exploiting CVE‑2026‑33017 (Langflow RCE). The activity targeted exposed cloud and AI development environments, enabling large-scale harvesting…

Du'aine Davis

Observed in the wild

In May, Sysdig identified a campaign centred on a new command-and-control technique, where attackers used NATS messaging servers as C2 infrastructure after exploiting CVE‑2026‑33017 (Langflow RCE). The activity targeted exposed cloud and AI development environments, enabling large-scale harvesting and validation of AWS credentials and AI API keys, with attempts to establish persistent access across compromised workloads.
The actor deployed a “NATS-as-C2” model, replacing traditional HTTP or chat-based C2 with a legitimate publish/subscribe message broker. This allowed task distribution, result collection, and coordination across infected hosts using ACL-controlled subjects and durable queues. Supporting tooling (“KeyHunter”) combined credential scraping, validation, and automation, while blending into normal traffic, marking a notable evolution in scalable, resilient and harder-to-detect C2 architectures.
Organisations are advised to prioritise detection of behaviour, not just payloads: monitor for unusual outbound connections to messaging brokers, enforce strict egress controls, and baseline legitimate NATS usage. Patch exposed services (e.g. Langflow), rotate credentials, and detect activity such as abnormal AWS API enumeration or system service creation. Defender telemetry should be tuned to flag anomalous network patterns and long-lived worker-like processes communicating with external brokers.

NATS-as-C2: Inside a new technique attackers are using to harvest cloud credentials and AI API keys | Sysdig

Find more posts tagged with

Threat Landscape

Sign in to participate and unlock exclusive content 🔓

It looks like you're new here! Sign in or register to be able to comment, access member-only content and follow the spaces relevant to you.

Comments

There are no comments yet

See what's trending

Click on a tag to discover all the published content related to it.