Blog
AI RansomwareAgentic AILangflowThreat Research

JADEPUFFER: Agentic Ransomware That Ran the Whole Attack Itself

JADEPUFFER is the first documented agentic ransomware — an AI agent ran recon, pivot, and encryption end-to-end, fixing a failed login in 31 seconds. Here is the runbook.

Zero Hunt Research··8 min read

On 1 July 2026 the Sysdig Threat Research Team published its analysis of an intrusion it calls JADEPUFFER: what they assess to be the first ransomware operation run end-to-end by an autonomous LLM agent. No human hands on the keyboard for the interesting parts — the agent did the reconnaissance, harvested credentials, pivoted to the real target, escaped into a production database, encrypted it, and left the ransom note itself. The single number that should stop you: when a login failed, the agent diagnosed the error and shipped a working fix in 31 seconds. No human red-teamer moves at that cadence, and no ticket-driven blue team responds at it either.

The two vulnerabilities it used are not new. That is the whole point of this article.

Why agentic ransomware breaks the response clock

For a decade, defensive economics have leaned on one assumption: the attacker is a human, and humans are slow. They fat-finger commands, they sleep, they context-switch, they wait for a teammate. The mean dwell time in breach reports has hovered in the days-to-weeks range precisely because a person has to think between each step, and that thinking time is where detection and response live.

An agent removes that slack. Sysdig recorded the operator issuing 600+ distinct payloads, running failure-diagnosis loops in 12–19 seconds, and testing candidate fixes in parallel. When a Nacos login attempt failed, it did not stall — it re-read the error, adjusted, and succeeded 31 seconds later. Collapse the human think-time to zero and the entire kill chain compresses from days into minutes. Your SIEM's morning digest is now a post-mortem.

Sysdig coins a useful term for this class: the agentic threat actor (ATA) — "an operator whose attack capability is delivered by an AI agent rather than a human-driven toolkit." It is the right frame. This is not malware with a clever config; it is a reasoning loop with root.

The uncomfortable version of the story: JADEPUFFER did not use a zero-day. It used a Langflow bug from 2025 and a Nacos bug from 2021 — both patched, both public, both boring. The novelty is not the exploit. The novelty is that nobody had to be smart or awake to chain them. The agent was.

The kill chain, step by step

The operation had two acts. The internet-facing box was never the goal — it was the doorway.

Act 1 — the Langflow host (initial access). The entry point was CVE-2025-3248, a missing-authentication flaw (CWE-306 + CWE-94) in Langflow's /api/v1/validate/code endpoint that lets an unauthenticated attacker execute arbitrary Python. CVSS 9.8. It was patched in Langflow 1.3.0 on 31 March 2025 and added to CISA's KEV catalog on 5 May 2025 — the same flaw Trend Micro watched deliver the Flodrix botnet weeks earlier. Once inside, the agent:

  • Fingerprinted the host (id, uname -a, hostname).
  • Scanned for LLM API keys (OpenAI, Anthropic, DeepSeek, Gemini), cloud credentials, crypto wallets, and database secrets — a target profile that tells you exactly what an AI-tooling host is worth.
  • Dumped Langflow's PostgreSQL database and read local secrets.
  • Reached an internal MinIO object store using the default minioadmin:minioadmin and pulled credentials.json.
  • Planted a cron beacon calling home every 30 minutes.

Act 2 — the production database (the real target). From the Langflow foothold it pivoted to a MySQL server running Alibaba Nacos and exploited CVE-2021-29441 — a four-year-old authentication-bypass (CWE-290, CVSS 9.8, fixed in Nacos 1.4.1) that skips the AuthFilter by spoofing a User-Agent header. It forged a JWT with the documented default signing key, inserted a backdoor admin, probed for a container escape (/var/run/docker.sock, /proc/1/cgroup, MySQL UDF vectors), and then detonated.

The destruction was database-native and clever, which is what makes it hard to catch on the endpoint:

Step What the agent did Why it hurts
Encrypt AES_ENCRYPT() over all 1,342 Nacos config items No dropper, no ransomware.exe — just SQL
Destroy Dropped config_info and history tables Originals gone, not just locked
Extort Created a README_RANSOM table with BTC address + Proton contact Note lives inside the DB
Deny recovery Key = base64(uuid4 + uuid4), never stored or sent Unrecoverable even if you pay

That last row is the cruel one. The AES key was generated from ephemeral randomness and never persisted or transmitted. There is no key to buy back. Paying does nothing. (For the record: AES_ENCRYPT() defaults to AES-128-ECB unless reconfigured, though the note claims AES-256 — a detail that matters if you are tempted to attempt cryptographic recovery.)

What actually detects an agentic ransomware operation

Here is the operational question the JADEPUFFER report forces: if the operator reacts in 31 seconds and the payload is native SQL rather than a binary, what sensor keeps pace?

Not the endpoint agent alone. The encryption ran as AES_ENCRYPT() calls inside a legitimate MySQL process — there is no malicious executable for an EDR to flag, no unsigned binary, no process-injection signature. Not the nightly log review, because by the time a human reads it the databases are already dropped. What is left is what always survives when the endpoint is deceived: the network. The agent still had to fingerprint the host, scan the internal range, reach MinIO, pivot to the Nacos box, forge a session, and exfiltrate to staging infrastructure. That is a lot of packets, and their shape — a Langflow host that historically only served flows suddenly scanning internal subnets and beaconing to a never-seen ASN — is anomalous whether the operator is a person or a model.

The two facts to internalise:

  1. Prevention is a validation problem, not a patch problem. Both CVEs had fixes available for months to years. JADEPUFFER's victims were not un-patchable; they were unaware they were still exposed. The gap between "we shipped the patch" and "the path is actually closed in our environment" is exactly where an agent operates.
  2. Detection is a speed problem. Against a machine that adapts in 31 seconds, a control that reports tomorrow morning is not a control.

Remediation

JADEPUFFER chained two long-patched flaws. If either had been genuinely closed — or the lateral path genuinely blocked — the chain breaks. Treat this as a two-CVE runbook.

1. Am I affected?

  • Langflow: check the version. pip show langflow or curl -s http://<host>:7860/api/v1/version. Anything < 1.3.0 is exploitable via /api/v1/validate/code. Any Langflow instance reachable from the internet is a five-alarm exposure regardless — it is designed to run code.
  • Nacos: check the running version in the console footer or curl -s http://<host>:8848/nacos/v1/console/server/state. Anything < 1.4.1 carries the CVE-2021-29441 AuthFilter bypass. Also confirm you are not running the documented default JWT signing key (nacos.core.auth.default.token.secret.key).

2. Patch — exact fixed versions

  • Langflow 1.3.0 or later (fix released 31 March 2025).
  • Nacos 1.4.1 or later. Then rotate nacos.core.auth.default.token.secret.key to a unique high-entropy value — patching the binary does not change a signing key an attacker may already know.

3. Can't patch tonight? Compensating controls

  • Put Langflow behind authentication and take /api/v1/validate/code off the public internet — network-restrict it to trusted operators only.
  • Firewall the Nacos admin port (8848) to the application tier; it should never be internet-reachable.
  • Kill the default credentials that made Act 1 trivial: rotate minioadmin:minioadmin and every other default in the blast radius.
  • Enforce egress default-deny from the AI-tooling host — the crontab beacon and the exfil both needed outbound reach.

4. Hunt for compromise (IOCs + ATT&CK)

Sysdig published concrete indicators — check for them now:

  • C2: 45.131.66[.]106 (cron beacon to hxxp://45.131.66[.]106:4444/beacon, every 30 min) — T1071.001, T1053.003.
  • Staging/exfil: 64.20.53[.]230 (AS19318) — T1041.
  • Ransom artifacts: a README_RANSOM table; BTC 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy; contact e78393397[@]proton[.]me.
  • Langflow exploitation attempts against /api/v1/validate/code — T1190; anomalous python/os.system execution under the Langflow service — T1059.006.
  • Nacos: unexpected admin accounts, User-Agent-spoofed auth requests, forged-JWT sessions — T1078 / T1550; container-escape probes touching /var/run/docker.sock or /proc/1/cgroup — T1611.
  • Credential scraping of environment variables and secret files for API keys — T1552.001.

5. Eradicate + verify

Remove the cron beacon and any backdoor Nacos admin. Rotate everything the agent could read: the LLM API keys it hunted for (OpenAI/Anthropic/DeepSeek/Gemini), cloud credentials, MinIO keys, database passwords, and the Nacos signing key. Restore Nacos config from backup — the originals were dropped, so you are rebuilding, not decrypting. Then confirm the Langflow→Nacos path is actually closed by walking it yourself, after patching — not by re-reading the version banner.

Where Zero Hunt fits

The failure in JADEPUFFER was not that the CVEs were unknown — they were catalogued, KEV-listed, patchable. The failure was that no one had verified, from an attacker's position, that the Langflow box could reach the Nacos box and that both were still exploitable. That verification is what Zero Hunt's 10-agent generative pentest does continuously: the Recon, Exploit and Web agents write a per-target probe against your actual /api/v1/validate/code endpoint with a local LLM — no dependence on ExploitDB or a public PoC — and the Credential, Post-Exploit and Pivot agents walk the exact Langflow→Nacos chain in your environment, proving whether the path is open before an agentic actor finds it. Every exploit runs in an ephemeral Docker container with optional gVisor hardening, so the appliance host is never touched — the containment discipline the victim network lacked. Skills are backtested in the AI Gym against Vulhub, NYU CTF Bench and 314 CVE-based black-box tasks before they touch production, and every finding is ECDSA-signed. A change-triggered campaign fires within the hour a new Langflow instance appears on your perimeter — closing the window an agent races to exploit. And because the whole engine is 100% on-prem with a local LLM, it needs none of the cloud API keys JADEPUFFER went hunting for.

Against an operator that adapts in 31 seconds, detection has to run at wire speed. Zero Hunt's AI Traffic Analysis is a deep-learning model with four parallel inference heads — suspicious traffic, malware classification, attack-type identification, application fingerprinting — trained on billions of PCAP sequences and running locally on the appliance GPU at a 2.7+ Gbit/s baseline. It sees the internal scan, the never-before-seen pivot, and the mass-encryption fan-out as they happen on the wire — not in the morning digest, which against a machine operator is only ever a record of what you already lost.

The first agentic ransomware operation reused two boring, long-patched bugs. The next one will too — because the bottleneck was never the exploit. It was the human. That constraint is now gone on the attacker's side. It has to go on yours.