Published
- 6 min read
By Allan D - Editor, AI Security Wire
JADEPUFFER: Inside the First End-to-End Agentic Ransomware Attack
Ransomware just changed. Sysdig’s threat research team has documented JADEPUFFER, a threat actor whose entire attack, from exploiting an exposed Langflow instance to encrypting a production database and leaving a ransom note, was driven by an LLM agent operating without human direction at each step. The attack targeted Nacos, an Alibaba-developed configuration service, and permanently destroyed 1,342 service configuration items using an ephemeral encryption key. Recovery without the key is not possible.
This is the first documented case of an agentic threat actor completing an end-to-end ransomware operation. It won’t be the last.
The Entry Point: CVE-2025-3248
JADEPUFFER’s entry was CVE-2025-3248, a critical missing-authentication flaw in Langflow’s code validation endpoint. The vulnerability allows any unauthenticated attacker to execute arbitrary Python on the host. It carries a CVSS score of 9.8 and has been on CISA’s Known Exploited Vulnerabilities list since May 2026.
Langflow is widely deployed as an AI orchestration and workflow platform. Its internet-exposed instances are an increasingly common attack surface: Greynoise has documented mass scanning of Langflow endpoints throughout 2026, and this intrusion shows what threat actors do once inside.
Phase One: Credential Sweep
Once executing on the Langflow host, the agent ran a systematic credential harvest. The targets were specific and prioritised: OpenAI, Anthropic, DeepSeek, and Gemini API keys; AWS, GCP, Azure, and Chinese cloud provider credentials (Alibaba, Aliyun, Tencent, Huawei); database connection strings; cryptocurrency wallets.
The agent then turned to the host’s MinIO object storage deployment. Default credentials, minioadmin:minioadmin, granted access. The agent listed buckets and extracted a credentials.json file containing service access keys. It then established persistence, installing a cron job that beaconed to 45.131.66.106:4444 every thirty minutes.
None of these actions required novel technique. What was notable was the speed and systematic coverage, and the agent’s own narration of its reasoning inside the payloads it generated.
Phase Two: The Pivot to Production
JADEPUFFER’s main target was a separate MySQL server running Nacos, Alibaba’s Naming and Configuration Service platform used for managing microservice configurations at scale. How the agent obtained root credentials for this server is not fully established; Sysdig suspects they were among the credentials harvested from the Langflow environment.
The Nacos takeover involved a sequence of increasingly precise attacks. The agent initially attempted to exploit CVE-2021-29441, a Nacos authentication bypass. It also forged JWT tokens using Nacos’s publicly documented default signing key, which many deployments never change.
The most striking element was the agent’s real-time error correction. An initial attempt to create a backdoor administrator account via bcrypt hash generation through subprocess failed. Thirty-one seconds later, a corrective payload appeared: it switched to a direct import, deleted the broken account entry, and reinserted it with the correct credentials. The account name was xadmin.
Sysdig notes that the 31-second gap represents diagnosis, rewriting, and re-execution, steps that a human operator might take minutes to accomplish.
The Encryption: No Recovery Path
With database root access, the agent began the destructive phase.
Using MySQL’s built-in AES_ENCRYPT() function, it encrypted all 1,342 Nacos service configuration items in place. The encryption key was ephemeral: base64(uuid4().bytes + uuid4().bytes), generated fresh, printed once in the payload output, and never written to disk or transmitted anywhere. The original config_info and history tables were then dropped.
When foreign key constraints blocked DROP DATABASE commands, the agent issued SET GLOBAL FOREIGN_KEY_CHECKS=0 and proceeded. It then dropped databases it had annotated as already backed up to an external server at 64.20.53.230.
In place of the destroyed data, the agent created a table named README_RANSOM containing a Bitcoin payment address, a Proton Mail contact email, and the ransom demand text. The Bitcoin address, 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy, is the canonical Pay-to-Script-Hash example embedded in Bitcoin protocol documentation. This suggests either a hallucination from the underlying model or a configuration error. Either way, payment would accomplish nothing: the decryption key no longer exists anywhere.
How Sysdig Identified It as Agentic
Four independent indicators established that an LLM was driving the operation rather than a human with scripted tools:
Self-narrating payloads. The code contained natural-language annotations explaining prioritisation decisions and operational rationale. Human operators don’t typically annotate their attack scripts. LLM-generated code does this reflexively.
Machine-speed adaptation. The bcrypt failure and 31-second recovery is not consistent with human response time. Neither is the real-time correction of MinIO requests that returned XML instead of expected JSON, which the agent parsed and adapted to without delay.
Cross-session context comprehension. The agent parsed free-text information from the target environment and took contextually appropriate actions across sessions separated by weeks. This reflects genuine comprehension of environmental state, not script execution.
Coherent objective-setting. The sequential prioritisation from credential sweep to lateral movement to production targeting to encryption to extortion note reflects the kind of goal-directed reasoning that distinguishes autonomous agents from automated tools.
Sysdig’s assessment: “This attack shows that LLM agents significantly lower the barrier for malicious operations, which now require a capable model rather than a capable human.”
What JADEPUFFER Changes
The threat model most security teams operate against assumes human operators make decisions, even when those operators use automated tooling. Human decision-making introduces delays, hesitation, and mistakes. An agentic attacker corrects mistakes in seconds, works continuously, and doesn’t get tired or impatient.
The JADEPUFFER timeline compresses the window between initial access and destructive impact in a way that bypasses most detection-and-response workflows. By the time a SOC analyst has reviewed the alert and escalated, the configuration store is gone.
Defensive Steps
Patch CVE-2025-3248 now. Any Langflow instance running an unpatched version is exposed. If immediate patching is not possible, take the instance offline.
Restrict the Langflow code-execution endpoint. This endpoint should never be reachable from the internet. Apply network controls regardless of patch status.
Audit AI orchestration environments for credentials. JADEPUFFER specifically targeted LLM provider API keys and cloud credentials stored in the Langflow environment. These should not exist there. Use secrets managers with short-lived credentials and runtime injection.
Change Nacos defaults. The default JWT signing key and the default minioadmin MinIO credentials used in this attack are documented in public repositories. Any deployment that hasn’t changed them is vulnerable to the same lateral movement.
Block outbound from AI workloads. Egress controls on Langflow and similar services would have broken the C2 beacon to 45.131.66.106 and the exfiltration channel to 64.20.53.230. Least-privilege networking applies to AI infrastructure the same as any other workload.
Runtime monitoring for database operations. AES_ENCRYPT() against all rows of a configuration table followed by DROP TABLE is not a legitimate operational pattern. Detection rules for bulk encryption operations in MySQL are straightforward to write and would have caught this.
Indicators of compromise: C2 server 45.131.66.106, staging server 64.20.53.230, ransom contact e78393397[@]proton[.]me, Nacos backdoor account xadmin.
Frequently Asked Questions
- What makes JADEPUFFER different from previous LLM-assisted ransomware?
- Prior cases involved LLMs assisting human operators at discrete stages: generating phishing content, writing shellcode, or suggesting attack paths. JADEPUFFER is the first documented case where an LLM agent drove the full attack chain autonomously, from initial access through reconnaissance, lateral movement, and encryption, without a human directing each step. The agent adapted in real time to failures and unexpected environment states.
- Can victims recover their data if they pay the ransom?
- No. The encryption key was ephemeral, derived from two concatenated UUID4 values, encoded in base64, and printed once before being discarded. It was never stored anywhere recoverable. Sysdig noted that even a successful ransom payment would not restore the encrypted data, because the key no longer exists.
- Is CVE-2025-3248 patched, and what should Langflow operators do now?
- CVE-2025-3248 was disclosed in 2025 and patches have been available since then. However, CISA flagged active exploitation in early May 2026, indicating many deployments remain unpatched. Any internet-exposed Langflow instance should be patched immediately, or taken offline. The code-execution endpoint in Langflow should never be exposed to the internet regardless of patch status. Operators should also audit environment variables for cloud and LLM provider credentials, which JADEPUFFER harvested systematically.