VDB

GCVE-110-OSM-2026-710

GCVE-110-OSM-2026-710
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published March 6, 2026
This package claims to be "Tiny package to optimize flow control." but really, it immediately drops a Windows exe file, which downloads and installs malware Payload file: flowfix/__init__.py Secondary payload: flowfix/core.py The __init__.py file downloads a payload from https://lustodyssey.com on line 14, and then execs it on line 34. It's that simple. The malware installs a Windows only binary named lustodysseysetup2.1.1.exe. You can see the Key findings: - Dynamic Code Execution in flowfix/__init__.py: "compile(_g, '<obf>', 'exec')" - Dynamic Code Execution in flowfix/core.py: "compile(_h, '<internal>', 'exec')" - Decoded Base64 Content in flowfix/core.py IOCs: Main object - https://lustodyssey.com/lustodysseysetup2.1.1.exe url https://lustodyssey.com/lustodysseysetup2.1.1.exe Dropped file sha256 C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\5413009a-b844-4192-b814-03e8ed36d134.tmp cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8 sha256 C:\Users\admin\AppData\Local\Google\Chrome\User Data\optimization_guide_model_store\25\E6DC4029A1E4B4C1\CF5861C916490329\model.tflite 498e3205bf85da0a8f8b57e292d4bd12b31d691e04039c04bedcde75d1ea7459 DNS requests domain api.genesishaha.fun domain genesishaha.fun domain lustodyssey.com domain uploads.227efc002310e6abf829b4c6a393bd4a.r2.cloudflarestorage.com Connections ip 172.64.66.1 ip 45.141.215.60 - urls: https://lustodyssey.com/lustodysseysetup2.1.1.exe - domains: gov.com, lustodyssey.com - emails: fbi@gov.com - payloadFileHash: 9642df97212584f11372d646ffc1d3c7e1d70d13b099c9fca05111874cf14965

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownflowfixall (affected)

References

advisory
vendor

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›