JADEPUFFER Ransomware Targets Cloud API Keys with Python Payloads
Key Takeaways JADEPUFFER represents the first documented instance of fully autonomous, AI-driven ransomware. The ransomware leverages a critical unauthenticated remote code execution vulnerability...
Key Takeaways
- JADEPUFFER represents the first documented instance of fully autonomous, AI-driven ransomware.
- The ransomware leverages a critical unauthenticated remote code execution vulnerability (CVE-2025-3248) in Langflow instances.
- It targets a wide array of cloud API keys, cryptocurrency wallets, and database credentials, including those for OpenAI, AWS, and Azure.
- JADEPUFFER demonstrates adaptive capabilities, autonomously correcting its attack scripts in real-time.
- Victims cannot recover data even by paying the ransom, as encryption keys are not saved.
The landscape of cyber threats has fundamentally shifted with the emergence of JADEPUFFER, a ransomware operation believed to be entirely controlled by an AI agent. This marks a significant departure from traditional ransomware, which typically relies on human operators or pre-scripted tools. JADEPUFFER, identified by researchers, operates as an “agentic threat actor,” utilizing a large language model to independently plan, adapt, and execute its attack chain.
Table Of Content
In a report shared with Cyber Security News (CSN), Sysdig said in a report that their analysis of captured payloads revealed an intrusion that progressed from initial access to complete database destruction with minimal, if any, human intervention.
Initial Intrusion via Langflow Vulnerability
The attack vector for JADEPUFFER commenced through an internet-accessible instance of Langflow, an open-source framework designed for building AI agent workflows. The attackers exploited a critical vulnerability, tracked as CVE-2025-3248, which is an authentication bypass residing in Langflow’s code validation endpoint. This flaw allowed the AI agent to execute arbitrary Python code without requiring any prior authentication, providing a direct entry point for the autonomous ransomware operation. Once inside, JADEPUFFER rapidly moved to escalate privileges and expand its presence within the compromised environment.
Agentic Ransomware JADEPUFFER Uses Base64 Python Payloads
JADEPUFFER’s operational methodology involved delivering its payloads as Base64-encoded Python scripts, leveraging the Langflow vulnerability for execution. Upon gaining a foothold, the AI agent systematically mapped the compromised host. This reconnaissance phase included identifying user identities, enumerating network interfaces, and analyzing running processes. Its primary objective during this stage was to locate and harvest stored secrets.
The scope of credential harvesting was extensive, encompassing API keys for prominent AI platforms like OpenAI, Anthropic, DeepSeek, and Gemini. It also targeted cloud service credentials from major providers such as AWS and Azure, alongside several Chinese cloud platforms. Additionally, JADEPUFFER sought out cryptocurrency wallets, seed phrases, and critical database configuration files.
The agent then accessed Langflow’s own backend database, extracting stored credentials and user records before systematically deleting any locally staged files. It proceeded to scan the internal network for accessible services, discovering a MinIO storage instance that was still configured with its default administrative credentials. Exploiting these default credentials, JADEPUFFER enumerated all storage buckets, prioritizing those containing configuration data, and successfully extracted a credentials file. To maintain persistence, the agent installed a scheduled task on the compromised server, establishing a beacon that contacted attacker infrastructure every thirty minutes.
From Access to Extortion
The ultimate target of the JADEPUFFER operation was a distinct database server, running MySQL in conjunction with Nacos, a configuration management tool. The AI agent exploited an authentication bypass vulnerability in Nacos, which has been publicly known since 2020, to gain unauthorized access. It then attempted to create a hidden administrator account within the Nacos database.
A notable aspect of JADEPUFFER’s advanced capabilities was observed when the initial attempt to create the administrator account failed. The AI agent autonomously detected this failure and, within approximately 30 seconds, rewrote its script to rectify a password hashing issue. This rapid, self-correcting behavior is a strong indicator that no human was actively guiding the operation in real-time, highlighting the autonomous nature of this agentic ransomware.
After successfully establishing full control over the database, the agent performed a check for container escape capabilities before initiating its destructive phase. It proceeded to encrypt over a thousand configuration records, subsequently dropping the original database tables. A ransom note was then inserted, demanding Bitcoin payment and providing a ProtonMail address for contact. Crucially, the encryption key used was randomly generated and never stored, rendering data recovery impossible even if the ransom were paid. The agent further escalated its destructive actions by systematically dropping entire database schemas it deemed valuable, with its reasoning for these actions documented within the code itself.
Sysdig researchers emphasize the growing threat posed by agentic tools and predict an increase in such autonomous extortion campaigns as AI capabilities mature. The cost and technical barrier for deploying ransomware have significantly decreased, effectively becoming the cost of an AI agent.
Indicators of Compromise (IoCs):-


No Comment! Be the first one.