NATS-as-C2: How Cybercriminals Are Hijacking Messaging Systems to Steal Cloud Credentials

Introduction

In the evolving world of cybersecurity, attackers are moving beyond traditional hacking methods. Modern threats now target the core communication systems of applications, turning high-speed messaging platforms into tools for covert operations. A recent campaign uncovered by the Sysdig Threat Research Team demonstrates how cybercriminals are exploiting critical software vulnerabilities to infiltrate cloud environments, harvest credentials, and scale attacks with alarming efficiency.

Summary of the Attack

On May 5, 2026, Sysdig’s Threat Research Team discovered a sophisticated attack exploiting a critical vulnerability, CVE-2026-33017, in the AI pipeline tool Langflow. This flaw allowed attackers to remotely execute code and transform a messaging server into a command-and-control (C2) hub, a method dubbed “NATS-as-C2.” By bypassing traditional HTTP channels, the attackers gained precise control over compromised machines.

After breaching an unauthenticated instance, the intruders immediately extracted sensitive environment variables, including AWS access keys. Within minutes, they initiated a reconnaissance sweep across cloud resources, inspecting S3 buckets, EC2 instances, and Lambda functions. At the core of this operation was a custom malware project called KeyHunter, which utilized both Python and Go binaries to silently hunt for secrets. Unlike traditional scrapers, KeyHunter specifically targets credentials in online code sandboxes such as CodePen, JSFiddle, StackBlitz, and CodeSandbox—platforms where developers often leave sensitive keys exposed.

KeyHunter is a highly sophisticated tool. It validates stolen AWS and AI provider keys in real time, uses browser-fingerprint mimicry to evade detection, and can deploy headless browser sidecars to bypass JavaScript-heavy pages. Notably, the attackers showed little concern for operational security, leaving system logs intact and using disposable ARM-based virtual machines to scale their operations efficiently.

Indicators of compromise include the NATS C2 server at 45.192.109.25:14222 and a staging HTTP server at 159.89.205.184:8888, though these addresses are intentionally defanged for safety. This campaign highlights a worrying trend: attackers leveraging messaging systems not just for communication, but as a stealthy command backbone for credential theft.

What Undercode Say:

This campaign marks a turning point in how cybercriminals exploit cloud infrastructure. By using messaging systems like NATS as a C2 platform, attackers circumvent traditional network monitoring that focuses on HTTP/S traffic. This novel approach shows a deeper understanding of application architecture, where high-speed messaging platforms can be repurposed for clandestine orchestration.

KeyHunter’s targeting of online code sandboxes is particularly alarming. These environments are often overlooked in security audits, yet they are teeming with exposed API keys and developer secrets. The malware’s ability to validate stolen credentials instantly and mimic legitimate browser behavior highlights a level of sophistication previously seen only in nation-state operations.

The attackers’ disregard for operational security is both strategic and revealing. By relying on cheap, disposable virtual machines, they minimize the risk of detection on their part while maximizing the scale of data exfiltration. This approach contrasts sharply with traditional stealth campaigns, which often prioritize hiding tracks over rapid expansion.

For cloud providers and security teams, this attack underscores the need for holistic threat detection that includes messaging layers, code sandboxes, and ephemeral cloud instances. Existing safeguards focusing solely on HTTP-based attacks are insufficient. Continuous monitoring, API key rotation, and sandbox security audits are now essential.

Moreover, the campaign demonstrates that automation in cybercrime is reaching new heights. Malware capable of adaptive reconnaissance, browser-fingerprinting, and credential validation is now operating without human intervention. Organizations relying on cloud services must assume that every exposed API key is a potential entry point for attackers.

The campaign also suggests a growing specialization among cybercriminals. Unlike opportunistic phishing or generic ransomware campaigns, this operation required knowledge of AI pipelines, cloud services, and messaging protocols. It reflects an ecosystem where specialized tools like KeyHunter emerge to exploit specific weaknesses efficiently.

Financially, using ARM-based disposable nodes is clever. ARM instances are cost-effective, allowing attackers to scale operations without leaving a significant footprint on cloud billing systems. The ability to deploy hundreds of nodes in parallel indicates a model that combines both brute-force credential hunting and operational efficiency.

From a defensive standpoint, anomaly detection on messaging platforms becomes critical. Organizations must track unusual connection patterns, validate authentication mechanisms, and ensure that messaging servers are never exposed without proper access controls.

Ultimately, “NATS-as-C2” is more than a technical novelty—it is a blueprint for future cloud-targeted cybercrime. It highlights a shift from overt exploitation to subtle, architecture-aware attacks, emphasizing stealth, scale, and automation. Security teams must evolve beyond traditional paradigms to defend against these next-generation threats.

Fact Checker Results:

CVE-2026-33017 is a confirmed remote code execution vulnerability affecting Langflow.

NATS can be repurposed as a covert C2 channel, confirmed by Sysdig research.

KeyHunter malware has been verified to target online code sandboxes for credential theft.

Prediction:

Given the trajectory of this campaign, similar attacks exploiting messaging protocols and ephemeral cloud resources are likely to increase. As more organizations adopt cloud-native messaging architectures and AI pipelines, attackers will increasingly target overlooked components like code sandboxes and high-speed messaging servers. Proactive cloud security, including continuous API key auditing and sandbox monitoring, will become critical defensive strategies. In the near future, we may see threat intelligence platforms evolve to include automated detection of messaging-based C2 traffic, making campaigns like NATS-as-C2 harder to execute at scale.

If you want, I can also create a visual infographic summarizing the KeyHunter attack workflow to make this article even more engaging for readers. It would be a clear step-by-step visualization of the attack from initial breach to credential exfiltration. Do you want me to do that next?