What Is JADEPUFFER? The First Agentic Threat Actor Ransomware Case
Bottom line: Sysdig defines JADEPUFFER as an Agentic Threat Actor (ATA)—attack capability delivered by an AI agent, not a human-operated toolkit. This classification was formally introduced in the report.
| Dimension | Detail |
|---|---|
| Discoverer | Sysdig TRT, author Michael Clark (Director of Threat Research) |
| Published | July 1, 2026 (media follow-up July 2–6; public awareness peaked around July 6) |
| Codename | JADEPUFFER (Sysdig official all-caps naming) |
| Entry host | Internet-exposed Langflow (CVE-2025-3248 RCE) |
| True target | Separate internet-exposed production server: MySQL + Nacos config center |
| Scale | 600+ distinct payloads executed in a compressed time window |
| Date | Event |
|---|---|
| April 2025 | CVE-2025-3248 disclosed (unauthenticated code injection/RCE in Langflow) |
| May 5, 2025 | Added to CISA Known Exploited Vulnerabilities (KEV) catalog |
| 2025 | Same flaw used to deliver Flodrix botnet (Trend Micro—separate campaign) |
| June 2026 | JADEPUFFER attack; chain executed across sessions weeks apart |
| July 1, 2026 | Sysdig full technical report published |
| July 2–6, 2026 | Dark Reading, BleepingComputer, CyberScoop, CSO Online, Security Affairs coverage |
Public Langflow exposure: AI orchestration servers often store LLM API keys and cloud credentials in environment variables; teams rush prototypes online without network controls.
Long-exploited critical flaw: CVE-2025-3248 EPSS exploitation probability 91.42% (SentinelOne)—continuous internet scanning and weaponization.
Aging downstream infra: True target hit by 2021 Nacos auth bypass and never-rotated default JWT signing key.
MySQL root on the internet: Agent connected with root credentials to exposed port—source unclear; possibly human-prepared.
Unrecoverable encryption key: uuid4() generated, printed to stdout only, never exfiltrated—payment cannot decrypt data.
CVE-2025-3248: How Langflow Unauthenticated RCE Gets Weaponized
| Field | Detail |
|---|---|
| Component | Langflow — open-source visual AI agent workflow builder, 70k+ GitHub stars |
| Weakness | CWE-94 (code injection) + CWE-306 (missing authentication) |
| CVSS | 9.8 Critical — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Affected | All Langflow versions before 1.3.0 |
| Endpoint | /api/v1/validate/code |
| Fix | Version 1.3.0 (authentication added) |
The endpoint validates custom function node syntax via ast.parse() → compile() → exec() with no authentication and no sandbox. Python evaluates decorators and default arguments at function definition time. Malicious code in defaults runs during "validation"—one unauthenticated HTTP POST achieves RCE.
exec('raise Exception(__import__("subprocess").check_output("whoami", shell=True))')
exec('raise Exception(__import__("subprocess").check_output("printenv", shell=True))')
exec('raise Exception(__import__("subprocess").check_output("cat /root/.bash_history", shell=True))')| Dimension | Flodrix botnet | JADEPUFFER (this case) |
|---|---|---|
| Driver | Traditional scripts/human ops | LLM agent end-to-end |
| Entry | CVE-2025-3248 | CVE-2025-3248 |
| Goal | DDoS botnet | Database extortion + destruction |
| Relation | Independent campaigns—same flaw, ongoing weaponization | |
Patch: Langflow 1.3.0 adds _current_user: CurrentActiveUser to post_validate_code; FastAPI validates JWT Bearer or x-api-key first—failed auth returns 401/403 before vulnerable logic runs.
Full Attack Chain: Phase 1 Langflow Compromise and Phase 2 Nacos Takeover
Phase 1: Base64-encoded Python payloads delivered via RCE endpoint.
Parallel recon + credential harvest: id, uname -a, hostname; scans OpenAI/Anthropic/DeepSeek/Gemini keys, ALIBABA_/ALIYUN_/TENCENT_/HUAWEI_/AWS/GCP/Azure creds, crypto seeds, DB configs.
Local exfiltration: Exported Langflow PostgreSQL backend; reviewed locally then deleted staging files.
MinIO enumeration: Probed minio.internal:9000 and 127.0.0.1:9000 with minioadmin:minioadmin; prioritized terraform-state and credentials.json. Requested ?format=json, got XML—immediately switched to XML parser (probe-error-adapt loop).
Persistence: Crontab beacon every 30 min to hxxp://45.131.66[.]106:4444/beacon.
Phase 2: Nacos widely used in Alibaba microservices; CVE-2021-29441 bypass history; default JWT secret documented since 2020, often never rotated.
| UTC time | Action |
|---|---|
| 19:34:24 | Inserted xadmin admin via subprocess bcrypt hash |
| 19:34:36 | Login xadmin:Xploit@2026# failed |
| 19:34:48 | Parallel test nacos:nacos + regenerate admin123 hash |
| 19:35:07 | Switched to import bcrypt, deleted bad rows, rebuilt account |
| 19:35:18 | Login succeeded—31 seconds total |
Container escape probes (~8 min): MySQL INTO OUTFILE / LOAD_FILE on docker.sock, cgroup, hostname; checked mysql.func for UDF escalation. Wrote cleanup marker before ransom phase—structured agent stage transition, not a fixed script.
Destructive encryption: All 1,342 Nacos configs encrypted with AES_ENCRYPT(); dropped config_info and his_config_info; created README_RANSOM table. Key from uuid4(), printed once, never stored—unrecoverable even if paid. Note claims AES-256; MySQL default is AES-128-ECB.
Mass destruction: ROI-prioritized DROP DATABASE; comment claimed backup to 64.20.53[.]230—Sysdig found no independent evidence. Foreign key failure triggered automatic SET GLOBAL FOREIGN_KEY_CHECKS=0 fix—understanding why, not blind retry.
How to Defend After JADEPUFFER: Six Actionable Steps
Upgrade Langflow: Patch to 1.3.0+; never expose code execution/validation endpoints on the public internet.
Isolate secrets: Do not store LLM API keys or cloud credentials in AI orchestration server env vars—use KMS, separate from public-facing processes.
Harden Nacos: Rotate default token.secret.key; upgrade to versions requiring custom secrets; never expose Nacos publicly; no root DB connections.
Database access control: No admin accounts on the internet; strong unique credentials + source IP restrictions on management ports.
Egress control: Block compromised hosts from arbitrary beaconing or reaching staging servers (45.131.66[.]106, 64.20.53[.]230).
Runtime detection + IOC monitoring: Detect malicious DB process behavior; watch crontab outbound calls and anomalous User-Agent strings. Agent dev isolation: help center.
Four Autonomy Evidence Lines, Bitcoin Mystery, IOCs, and Sysdig Verdict
Self-narrating code: Natural-language comments explaining ROI sorting and "largest database"—native in attacker payloads, not researcher inference.
Machine-speed fault repair: 31-second Nacos fix, MinIO XML/JSON adaptation, JWT path abandoned on "custom secret" response.
Natural-language context parsing: Actions only sensible if the agent read free-text environment context—repeated across sessions weeks apart.
Bitcoin address mystery: 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy is Bitcoin Core's standard P2SH example address in training corpora; 737 on-chain txs, ~46 BTC swept immediately. LLM hallucination vs attacker wallet—both unprovable.
| IOC type | Indicator |
|---|---|
| C2 / beacon | 45.131.66[.]106, crontab → port 4444/beacon |
| Staging | 64.20.53[.]230 (InterServer AS19318) |
| Entry CVE | CVE-2025-3248 |
| Bitcoin | 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy |
| Contact | e78393397[@]proton[.]me (no prior intel hits) |
| Ransom table | README_RANSOM (novel naming) |
Industry reaction: Media called it "first fully AI-driven ransomware." Red team expert Vibhum Dubey (CSO Online): worry about the quiet period before encryption—agents map identity systems while evading detection; each intrusion may look slightly different. LLMjacking angle: stolen credentials driving agents pushes marginal attack cost toward zero.
CVSS 9.8 + EPSS 91.42%: CVE-2025-3248 is a continuously scanned critical entry (NVD / SentinelOne).
600+ payloads: Coherent execution at scale points to autonomous agent, not fixed toolkit.
1,342 configs encrypted + lost key: Victim data permanently gone even if ransom paid.
Sysdig's four takeaways: (1) Ransomware skill floor dropped to "cost of running an agent"; (2) Old CVEs weaponized at near-zero cost to spray the entire historical vuln catalog; (3) LLM self-narration gives defenders a new detection surface; (4) "Already backed up" was agent self-commentary, unverified.
The math on alternatives: running Langflow/Nacos on the public internet for agent prototyping hands API keys and topology to scanners; 24/7 autonomous agents on a laptop lacks egress control and runtime detection; virtualized macOS agent hosts violate EULA and throttle Metal. For AI agent production, red-team simulation, and iOS CI/CD needing full root and isolation, KVMNODE dedicated Mac Mini M4 cloud rental is usually the better fit: genuine Apple Silicon hardware, open sudo, flexible daily/weekly/monthly billing, auditable agent workflows off production networks. JADEPUFFER signals the skill bar is now agent-running cost—treat public app servers, unhardened config centers, and internet-reachable DB admin accounts as first targets.
Sources: Sysdig JADEPUFFER report; BleepingComputer, Dark Reading, CyberScoop, CSO Online, Security Affairs; Trend Micro CVE-2025-3248 / Flodrix; NVD, CISA KEV.