JadePuffer Shows How AI Agents Now Run Ransomware

Sysdig documents the first AI-agent ransomware operation: an LLM exploited CVE-2025-3248 in Langflow, moved laterally, and encrypted 1,342 production database records with no human directing each step.

JadePuffer Shows How AI Agents Now Run Ransomware

The payload landed through a year-old vulnerability in Langflow. Within 31 seconds of a failed login attempt, with no human at the keyboard, an AI agent had diagnosed its own error, rewritten the exploit, and gained database administrator access. It encrypted 1,342 service configuration records, wiped the original tables, and left a ransom demand in their place.

Security firm Sysdig published its analysis on July 1, naming the threat actor JADEPUFFER and describing it as the first documented case of ransomware driven end-to-end by a large language model agent.

TL;DR

  • First documented agentic ransomware: the full attack chain - recon, credential theft, lateral movement, encryption - ran without human operators directing each step
  • Exploited CVE-2025-3248 (CVSS 9.8) in the open-source Langflow framework and CVE-2021-29441 in Alibaba Nacos
  • Encrypted 1,342 production configs; the key was never stored, making recovery impossible even with ransom payment
  • Self-corrected a failed exploit in 31 seconds; payloads contained plain-English reasoning comments - a pattern consistent with LLM generation, not human operators

The Door It Walked Through

CVE-2025-3248 is a missing-authentication flaw in Langflow's code-validation endpoint. CVSS score: 9.8. It lets an unauthenticated attacker execute arbitrary Python on the host with no credentials.

The vendor patched it on April 1, 2025. CISA reported active exploitation by May 2025. Organizations running unpatched Langflow instances in July 2026 were still exposed.

JADEPUFFER found one and walked in.

Phase 1: Everything It Could Grab

Initial access - The agent delivered Base64-encoded Python payloads through the Langflow validation endpoint. Once inside, it didn't stop at the compromised server.

Credential sweep - It extracted API keys for OpenAI, Anthropic, DeepSeek, and Gemini. It grabbed cloud credentials across AWS, Azure, Google Cloud, Alibaba, Aliyun, Tencent, and Huawei. It dumped Langflow's PostgreSQL database for stored credentials, then found a MinIO object storage bucket still running on its default credentials (minioadmin:minioadmin) and pulled a terraform-state bucket containing additional service credentials.

Persistence - The agent installed a cron job beaconing to its command-and-control server at 45.131.66.106:4444 every 30 minutes.

What convinced Sysdig this was an AI agent rather than a human operator? The payloads were self-narrating. They contained natural-language explanations for each action - the kind of detailed commentary a human hacker never bothers writing, but a LLM produces by default. Sysdig's Michael Clark wrote: "The operation also adapted in real time, retrying failed steps within refined parameters."

Langflow's homepage - the open-source LLM framework whose unpatched CVE-2025-3248 was the entry point for JadePuffer's attack Langflow is an open-source framework for building LLM agent workflows. CVE-2025-3248 in its code-validation endpoint gave JadePuffer unauthenticated remote code execution. Source: langflow.org

Phase 2: The 31-Second Recovery

The agent pivoted from the Langflow host to a separate production server running MySQL and Nacos - Alibaba's open-source configuration management platform, widely used in cloud-native deployments.

Authentication bypass - It exploited CVE-2021-29441, an authentication bypass in Nacos, and forged JWT tokens using the platform's well-known default signing key. The target hadn't changed it.

Backdoor account creation - The agent attempted to create an administrator account directly in the database. The first attempt failed: a bcrypt hash generation error caused by a subprocess PATH issue.

The agent recovered in 31 seconds. It identified the source of the failure, switched from subprocess execution to a direct Python import, regenerated the hash with a simpler password, and verified the login worked.

"For investigators, the speed and specificity of that correction are a major reason Sysdig assessed the operation as autonomous," Clark wrote in the firm's report.

This is the behavior that separates an AI agent from a scripted attack toolkit. Scripts fail and stop. Agents fail and adapt.

Phase 3: Encryption and the Ransom

Encryption - JADEPUFFER used MySQL's AES_ENCRYPT() function to encrypt all 1,342 Nacos service configuration items in place. It dropped the original config_info and history tables completely.

Extortion table - In their place, it created a README_RANSOM table with a ransom demand, a Bitcoin address (3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy), and a ProtonMail contact address.

The critical failure - The encryption key was produced randomly and, per Sysdig's analysis, "printed once; never stored or sent." The victim's configurations cannot be recovered whether or not the ransom is paid. The data is gone.

The Bitcoin address itself reveals something about the agent. It appears in canonical LLM training documentation as an example address - the model reproduced it from training data rather than producing an attacker-controlled wallet. An operational mistake, but also a diagnostic artifact: it shows how training-data memorization can leak into live attack payloads.

Sysdig's JADEPUFFER blog post published July 1, 2026, documenting the attack chain Sysdig's Threat Research Team published their JADEPUFFER analysis on July 1. The report documents the full attack chain and indicators of compromise. Source: sysdig.com

What "Autonomous" Actually Means Here

TechCrunch's July 6 coverage pushed back on the "fully autonomous" framing, and the pushback is fair. A human set up the infrastructure, chose the victim, and the Nacos database credentials used in the pivot came from a prior breach - not from JADEPUFFER's own activity. Clark acknowledged this directly: "A human still set up and pointed the operation and provisioned the infrastructure behind it... and chose a victim."

The agent didn't plan the attack. It executed one. That distinction matters for measuring the threat accurately. The bottlenecks that remain human - victim selection, infrastructure provisioning, initial credential sourcing - are exactly the tasks that scale cheapest and require the least expertise to outsource.

The hard part of ransomware used to be execution. That part is now automated.

Sysdig couldn't determine which LLM powered JADEPUFFER from the captured payloads. Researcher Geoff McDonald assessed it was likely an open-weight model with safety guardrails removed, rather than a frontier model.

Why the Skill Floor Dropped

Multi-stage ransomware used to require expertise across several disciplines: web exploitation, lateral movement, database administration, encryption implementation. An attacker needed to know all of them or assemble a team that collectively did.

JADEPUFFER shows something different. A LLM agent can chain reconnaissance, credential theft, lateral movement, persistence, and data destruction without the operator having deep expertise in any single step. Shane Barney, CISO at Keeper Security, put it directly: "An AI agent operating at machine speed can move from initial access to full destruction well inside that window" where most organizations detect unauthorized access.

Ram Varadarajan, CEO at Acalvio, added the defensive implication: "When the adversary rewrites its own exploit code on the fly, static signatures can't keep pace - only runtime behavioral detection stands a chance of catching it."

That's the shape of the new problem. Detection strategies built around known payload signatures are mismatched against agents that narrate their own reasoning and adapt around failures in real time. The same LLM behavior that makes JadePuffer's payloads detectable by behavioral tools - the natural-language comments, the adaptive retries, the training-data artifacts - makes them invisible to anything looking for a fixed pattern.

See also: AI agents used in LLM router supply chain attacks and how criminals are using vibe coding to build malware.


What to Do Now

  1. Patch CVE-2025-3248 in Langflow immediately. Don't expose Langflow's code-execution endpoint to the internet. The fix has been available since April 2025.
  2. Rotate the Nacos default signing key. CVE-2021-29441 is trivially exploitable on any Nacos instance still using the default token.secret.key. Change it.
  3. Remove LLM provider credentials from AI orchestration servers. JADEPUFFER specifically targeted OpenAI, Anthropic, DeepSeek, and cloud provider keys stored in Langflow environments. They don't belong there.
  4. Segment AI infrastructure from production databases. A compromised Langflow host shouldn't be able to reach your production MySQL server at all. Enforce network egress controls.
  5. Switch to runtime behavioral detection. Static signatures won't catch payloads that rewrite themselves mid-execution. Look for anomalous database process behavior and unusual process-spawning patterns.
  6. Audit cron jobs on AI infrastructure. JADEPUFFER's persistence mechanism was a cron job - a vector conventional EDR wasn't designed to watch for on orchestration servers.
  7. Check your environment for JadePuffer IoCs: C2 at 45.131.66.106:4444, staging server at 64.20.53.230, ProtonMail contact e78393397[at]proton.me.

Sources:

Elena Marchetti
About the author Senior AI Editor & Investigative Journalist

Elena is a technology journalist with over eight years of experience covering artificial intelligence, machine learning, and the startup ecosystem.