VDB
GCVE-110-OSM-2026-710
GCVE-110-OSM-2026-710
Advisory PublishedCVSS 9.6/10
This package claims to be "Tiny package to optimize flow control." but really, it immediately drops a Windows exe file, which downloads and installs malware
Payload file: flowfix/__init__.py
Secondary payload: flowfix/core.py
The __init__.py file downloads a payload from https://lustodyssey.com on line 14, and then execs it on line 34. It's that simple.
The malware installs a Windows only binary named lustodysseysetup2.1.1.exe.
You can see the
Key findings:
- Dynamic Code Execution in flowfix/__init__.py: "compile(_g, '<obf>', 'exec')"
- Dynamic Code Execution in flowfix/core.py: "compile(_h, '<internal>', 'exec')"
- Decoded Base64 Content in flowfix/core.py
IOCs:
Main object - https://lustodyssey.com/lustodysseysetup2.1.1.exe
url https://lustodyssey.com/lustodysseysetup2.1.1.exe
Dropped file
sha256 C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\5413009a-b844-4192-b814-03e8ed36d134.tmp cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
sha256 C:\Users\admin\AppData\Local\Google\Chrome\User Data\optimization_guide_model_store\25\E6DC4029A1E4B4C1\CF5861C916490329\model.tflite 498e3205bf85da0a8f8b57e292d4bd12b31d691e04039c04bedcde75d1ea7459
DNS requests
domain api.genesishaha.fun
domain genesishaha.fun
domain lustodyssey.com
domain uploads.227efc002310e6abf829b4c6a393bd4a.r2.cloudflarestorage.com
Connections
ip 172.64.66.1
ip 45.141.215.60
- urls: https://lustodyssey.com/lustodysseysetup2.1.1.exe
- domains: gov.com, lustodyssey.com
- emails: fbi@gov.com
- payloadFileHash: 9642df97212584f11372d646ffc1d3c7e1d70d13b099c9fca05111874cf14965
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | flowfix | all (affected) | — |
Aliases
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.