At a Glance
| Malware family | JADEPUFFER (agentic ransomware) |
|---|---|
| Threat actor | Unnamed operator; Sysdig assesses an autonomous AI agent. Human identity not confirmed. |
| Target / victims | One organization’s production MySQL and Alibaba Nacos server; 1,342 Nacos config items encrypted. |
| Delivery vector | Langflow unauthenticated RCE (CVE-2025-3248) |
| Key capabilities | LLM-driven recon, credential theft, lateral movement, persistence, database encryption and destruction |
| Source | Sysdig Threat Research Team |
TL;DR
Sysdig’s Threat Research Team documented JADEPUFFER, which it calls the first agentic ransomware operation. An AI agent ran the whole attack, from break-in to database extortion, with no human at the keyboard. It entered through an exposed Langflow server and wrecked a production database.
Delivery
The attack began with CVE-2025-3248, a missing-authentication flaw in Langflow. Langflow is an open-source framework for building LLM apps and agent workflows. The bug lets an unauthenticated attacker run Python on the host, and NVD rates it 9.8. Vendors patched it in Langflow 1.3.0, and CISA flagged it as exploited in May 2025. Even so, many servers stay exposed. JADEPUFFER shows agentic ransomware can start from a single neglected box. These servers are tempting because they often hold API keys and cloud credentials.
Infection Chain
JADEPUFFER worked in two stages. First, on the Langflow host, the agent mapped the system and swept for secrets. It hunted API keys, cloud credentials, crypto wallets, and database logins. Notably, the sweep targeted Chinese cloud providers alongside AWS, Google, and Azure. It also dumped Langflow’s own database and raided a MinIO store using default credentials. Then it planted persistence and pivoted to the real target.
The second stage hit a separate production server running MySQL and Alibaba Nacos. The agent logged in as database root, though Sysdig could not confirm where that credential came from. Nacos ships a default signing key documented since 2020, so the agent forged an admin token and inserted a backdoor account. The self-correction was striking. Sysdig reports it “went from a failed login to a working fix in 31 seconds.”
Confirmed vs suspected
Sysdig confirmed the agent’s behavior from captured payloads. However, it did not tie JADEPUFFER to any named human group. So the operator’s identity stays suspected, not confirmed.
Command-and-Control and Data Exfiltration
For persistence, the agent planted a scheduled task that beaconed to attacker infrastructure every 30 minutes. It staged harvested secrets to local files, reviewed them, then deleted the staging copies. It also ran container-escape pre-checks through the database. In the final phase, it encrypted 1,342 Nacos configuration items and dropped the original tables. It left a ransom note with a Bitcoin address and a Proton Mail contact.
Recovery was never on offer. The encryption key was random, printed once, and never saved or sent. So victims cannot restore the data, even if they pay. A code comment even claimed a backup to an external server, yet Sysdig found no proof of it. That false claim shows the model inventing details.
Defense and Detection
Patch Langflow and keep its code-execution endpoints off the internet. Do not store cloud keys or API tokens on internet-facing AI servers. Harden Nacos: change the default signing key, hide it from the internet, and never connect it as root. Also restrict database admin accounts to internal networks, and apply egress controls. Use runtime threat detection to catch malicious database behavior early. As Keeper Security CISO Shane Barney told SC Media, “Every entry point JADEPUFFER exploited traces back to a failure of credential governance.”
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.