NATS-as-C2: Inside a new technique attackers are using to harvest cloud credentials and AI API keys

In May 2026, the Sysdig Threat Research Team identified a novel command-and-control (C2) technique called “NATS-as-C2,” where a threat actor used a NATS server, typically used for fast application communication, as infrastructure for controlling malware. This technique was used to exploit a remote code execution vulnerability in Langflow, enabling the attacker to download malware and harvest cloud credentials and AI API keys. The operation, named KeyHunter, involved a Python worker and a Go binary to target and validate AWS and other cloud service credentials, establishing a sophisticated, scalable botnet architecture utilizing NATS for durable task management and subject-level authorization. The attack demonstrated a shift towards using legitimate platforms as covert communication channels, with the operator leveraging NATS server features for enhanced operational security and scalability, making it imperative for network defenders to adopt stringent egress controls and update vulnerable platforms to mitigate such threats.