First End-to-End AI-Driven Ransomware Operation


JADEPUFFER: First End-to-End AI-Driven Ransomware Operation

Pierluigi Paganini
July 03, 2026

Sysdig reports an AI agent ran a full ransomware attack end-to-end, exploiting flaws, stealing creds, moving laterally, and encrypting data without humans.

Sysdig’s Threat Research Team has documented what it assesses to be the first ransomware operation driven end-to-end by a large language model. The operator, which Sysdig calls JADEPUFFER, broke into a server, harvested credentials, moved to a separate production target, encrypted a database, and destroyed data, all without a human at the keyboard. Ransomware has always needed a skilled person somewhere in the loop. That may no longer be true.

“The Sysdig Threat Research Team (TRT) has captured what we assess to be the first documented case of agentic ransomware: a complete extortion operation driven end-to-end by a large language model (LLM).” reads the report published by Sysdig. “This operator, which we have dubbed JADEPUFFER, gained initial access to an internet-facing Langflow instance through CVE-2025-3248 and ran an adaptive and fully automated campaign, ultimately pivoting to the intended target and running a destructive database-extortion playbook against the victim’s production database server. JADEPUFFER is considered an agentic threat actor (ATA), or an operator whose attack capability is delivered by an AI agent rather than a human-driven toolkit.”

The entry point was CVE-2025-3248, a missing-authentication flaw in Langflow, an open-source framework for building AI applications and agent workflows. The bug lets anyone who can reach the server execute arbitrary Python code on it, no login required. Langflow was patched and added to CISA’s Known Exploited Vulnerabilities list in May 2025. Many servers were never updated.

Langflow boxes are attractive because they tend to sit exposed on the internet and frequently hold API keys and cloud credentials for the services they connect to. JADEPUFFER knew this. Immediately after gaining execution, it swept the environment for secrets across multiple categories in parallel: API keys for OpenAI, Anthropic, DeepSeek, and Gemini; cloud credentials including Chinese providers like Alibaba, Aliyun, Tencent, and Huawei alongside AWS, GCP, and Azure; cryptocurrency wallet keys and seed phrases; and database credentials and configuration files.

It also raided Langflow’s own backing Postgres database, harvesting stored credentials, API keys, and user records, staged the output to local files, reviewed them, then deleted the staging files. Then it probed internal services reachable from the Langflow host: databases, object stores, secret managers, and service-discovery endpoints, all tested with default credentials.

One finding in the internal sweep was a MinIO object storage server accessible at the canonical container deployment addresses. MinIO is a self-hosted, S3-compatible storage service widely used to hold application data, backups, machine learning models, and infrastructure state. The default credentials, minioadmin:minioadmin, had never been changed.

JADEPUFFER worked through MinIO’s API systematically: anonymous health check, then admin API info, then authenticated bucket listing, then targeted retrieval of files whose names suggested credentials. When an initial request using ?format=json received XML in response, the LLM immediately adapted its parser to the S3 response schema and re-issued the request. As Sysdig’s report describes it:

“The enumeration was iterative and self-correcting. When an initial attempt used ?format=json and received XML, the LLM immediately adapted its XML parser to the S3 response schema and re-issued the request.” continues the report. “It also escalated progressively: anonymous health check → admin API info → authenticated ListBuckets → targeted GetObject on files whose names suggested credentials (credentials.json.env).”

That’s not a scanner running a fixed script. That’s an agent reading output and adjusting its next move.

Before moving on, it installed a crontab entry on the Langflow server that beaconed to attacker infrastructure at 45.131.66[.]106 every 30 minutes.

The Langflow instance was never the point. Artifacts captured from the compromised host show JADEPUFFER’s true objective was a separate internet-exposed production server running a MySQL database and Alibaba’s Nacos configuration service. Nacos is a service-discovery and dynamic configuration platform common in microservice architectures. Its authentication system has a documented history of bypasses, and its default JWT signing key has been publicly known since 2020 and ships unchanged in many deployments.

JADEPUFFER connected to the MySQL server as root using credentials whose origin Sysdig couldn’t establish. They weren’t observed being harvested from the victim’s environment.

From there, it attacked Nacos through multiple vectors simultaneously: exploiting the 2021 authentication bypass CVE-2021-29441, forging a valid JWT using the well-known default signing key, and injecting a backdoor administrator account directly into the Nacos backing database.

The backdoor account insertion is where the evidence of autonomous operation becomes most precise. The first payload generated a bcrypt hash using a subprocess call, inserted the account, and assigned admin privileges. The login verification failed. Thirty-one seconds later, without any human intervention, a corrective payload appeared: it deleted the broken account, diagnosed the root cause as a subprocess PATH issue preventing bcrypt from generating a valid hash, switched to importing bcrypt directly, confirmed the library was importable by printing its version, and reinserted the account with a correctly generated hash. The login then succeeded.

“The window between the failed login and the correct multi-step fix is 31 seconds. That payload is 15 lines of coordinated code: delete, diagnose, rebuild, and reinsert. A human operator reading an error message, identifying the root cause as a subprocess PATH issue, drafting a corrective script, and submitting it takes much longer than 31 seconds.” states Sysdig. “The same pattern recurs throughout the session: the MinIO ?format=json request receives XML, and the next payload immediately parses XML – the JWT forgery receives "custom secret in use", and the JWT path is abandoned entirely. “

The same adaptive behavior appeared when a DROP DATABASE command failed silently due to a foreign key constraint. The next payload wrapped the same command with SET GLOBAL FOREIGN_KEY_CHECKS=0 before the drop and reset it after. The fix was specific to the failure mode, not a generic retry.

After establishing control over Nacos, JADEPUFFER encrypted all 1,342 Nacos service configuration items using MySQL’s AES_ENCRYPT() function, dropped the original config_info and history tables, and created a ransom table named README_RANSOM containing a demand, a Bitcoin payment address, and a Proton Mail contact. A follow-up payload two minutes later updated the note with a refined count of all 1,342 encrypted items.

The encryption key was generated from two concatenated UUID4 values, essentially random, printed once to stdout, and never stored or transmitted anywhere. The victim cannot recover the encrypted configurations even with payment. The ransom note claims AES-256; MySQL’s AES_ENCRYPT() defaults to AES-128-ECB unless the server was reconfigured, so the claim overstates the algorithm. The practical result is the same either way.

After the ransomware phase, the agent escalated to dropping entire database schemas, narrating its own targeting rationale inside the code. Comments in the payloads read “High-ROI databases to drop (data already backed up to 64.20.53[.]230)” before issuing DROP DATABASE commands. Sysdig couldn’t independently verify any exfiltration to that staging server. The claim is the agent’s own assertion, not something the team could confirm from external evidence.

This self-narration is one of four independent lines of evidence Sysdig uses to support its assessment that the operation was LLM-driven.

“Human operators do not annotate disposable python3 -c one-liners this way, but LLM code-generation does so by default. The narration is internal to the attacker’s own payloads, not inferred.” states the report.

The other supporting evidence: machine-speed failure diagnosis and correction, demonstrated comprehension of free-text context planted by the target, and the curious Bitcoin address.

The ransom note contains the Bitcoin address 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy. This is the canonical Pay-to-Script-Hash example address used throughout Bitcoin’s own developer documentation and the Bitcoin core repository, which means it saturates LLM training data as a “for example” illustration. It is also a real, active wallet with 737 confirmed transactions and roughly 46 BTC received over its history, with every deposit immediately transferred elsewhere and the current balance at zero.

Sysdig can’t resolve this from available data. Either the LLM hallucinated the address from training material and the wallet belongs to a third party who sweeps unsolicited deposits, or the operator deliberately configured a real, controlled wallet that happens to match the famous documentation example. Both interpretations have uncomfortable implications.

None of the individual techniques in this operation were novel. CVE-2025-3248 was patched over a year before the attack. The Nacos authentication bypass dates to 2021. The default JWT signing key has been publicly documented since 2020. What JADEPUFFER demonstrates is that an AI agent can chain these steps into a complete extortion operation against neglected internet-facing infrastructure without the operator possessing deep expertise in any single step.

Sysdig’s indicators for this operation: C2 at 45.131.66[.]106 with beaconing to port 4444 every 30 minutes, claimed staging server at 64.20.53[.]230, ransom Bitcoin address 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy, contact e78393397[@]proton[.]me, and the ransom table name README_RANSOM, which doesn’t match any known MySQL ransomware campaign lineage.

The defensive priorities are practical and not new: patch Langflow and keep its code execution endpoints off the internet, don’t store cloud credentials or API keys in the environment of internet-facing AI servers, change Nacos’s default signing key and keep it off the public internet, never expose a database admin account to the internet, and enforce egress controls so a compromised host can’t beacon out. The argument for runtime behavioral detection over patch racing has become harder to dismiss.

“Ransomware is no longer a craft for the highly skilled: An LLM agent can chain reconnaissance, credential theft, lateral movement, persistence, and destruction without the operator possessing deep expertise in any one step. Tradecraft that once implied a capable human now implies a capable model.” concludes the report that also provides Indicators of compromise (IoCs).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, JADEPUFFER)







Source link

Leave a Reply

Subscribe to Our Newsletter

Get our latest articles delivered straight to your inbox. No spam, we promise.

Recent Reviews


One of the worst things about the explosion of AI tools is how much more advanced scam calls have become. It’s now entirely possible to get fake calls with voices that sound exactly like people you know. The June Android drop is here to address this (and add some other goodies).

Fake Call Detection

When scammers impersonate your contacts

1. Call spoofing diagram Credit: Google

The aforementioned voice duping is only one part of the scamming process. If the call comes from an unknown number, you’re far more likely to ignore it. That’s why scammers can also make their calls appear to be coming from numbers you trust.

Fake Call Detection is a new feature in the Phone by Google app that pops up an alert when a caller is suspected of impersonating your contacts. The alert says, “This may not be [Name]” and gives you the option to immediately hang up.

Google Photos is your new wardrobe

Digitally store and try on clothes

You may not know it, but there’s an entire category of apps dedicated to allowing people to catalog their wardrobes. Now, Google Photos is hoping to get in on it with a new “Wardrobe” collection.

First, you snap photos of your clothes and let Google Photos neatly put them on a white background. From there, everything can be categorized by item. You can then tap “Create” and put outfits together, which you can digitally try on. It’s a pretty cool feature that many apps charge a fee for.


Personal safety features expand to kids

13 and under

Google is making the Personal Safety app for Pixel phones available to kids under 13. Features include the ability to display medical information, setting emergency contacts on the lock screen, and car crash detection. In addition, kids over 13 can now use Safety Check and real-time sharing with emergency contacts.

“Catch me up” in Google Play Books

Recaps of what you’ve read

Remember Google Play Books? The company’s often overlooked eBook platform is getting a new feature to help you catch up when you haven’t read a book in a while. It works pretty much how you’d expect—AI summarizes what’s happened up until your current position in the book. It’s also possible to highlight text and ask questions about what you’re reading. These features are part of the new “Book Insights” button.

Quick Share 🤝 AirDrop

Now works with more devices

Last year, Google announced that the Pixel 10 series could share content with Apple’s AirDrop through Quick Share. Since then, it has very slowly expanded the functionality to more phones. Now, once again, the company is announcing even more devices.

The previous list was the Pixel 10 series, Galaxy S26 series, Oppo Find X9 series, Find N6, and Vivo X300 Ultra. New entries include the Galaxy S25 series, S24 series, Z Flip 7, Z Fold 7, Z Flip 6, Z Fold 6, Z TriFold, OPPO Find X8 series, OnePlus 15, HONOR Magic V6, and Magic8 Pro.

Keep your eyes peeled for these features to be rolling out to Android devices and the accompanying apps over the next few days and weeks.

Source: Google



Source link