Executive summary:
Sysdig Threat Research reporting from July 2026 describes JADEPUFFER as an extortion operation in which an LLM-based agent appears to have performed many tactical intrusion steps after initial access: host discovery, credential collection, object store access, movement toward internal services, persistence, configuration encryption, and destructive database activity.
The chain did not depend on a new exploit path. It combined an internet-facing Langflow server vulnerable to CVE-2025-3248, secrets available to the compromised process, weak object-store controls, access to a configuration service, and administrative database privileges. NVD describes CVE-2025-3248 as remote, unauthenticated code execution in the /api/v1/validate/code endpoint in Langflow versions before 1.3.0.
The main operational issue is speed. Agentic automation can test known weaknesses, adjust after failed steps, and move between connected services before normal triage or patch processes catch up. Existing controls can still contain this activity, but they need to detect it earlier in the chain, before the actor or agent reaches configuration stores and databases.
Recovery planning should assume that payment may not restore the affected data. The configuration encryption key was generated and printed once, but was not saved or transmitted. The realistic recovery path is protected backups, protected configuration copies, and tested restore procedures.
| Risk | Summary |
| Primary risk | Exposed AI workflow and automation services can become a direct path to secrets, internal services, configuration stores, and databases. |
| Initial access | Langflow CVE-2025-3248, an unauthenticated code execution issue in versions before |
| Impact | Configuration encryption, table deletion, database schema drops, and creation of a |
| Recovery note | The encryption key was generated and printed once, but not retained. Treat protected backups and tested restore as the practical recovery path. |

JADEPUFFER path from exposed Langflow service to destructive database activity.
Attack overview:
The operation began with an internet-facing AI workflow server vulnerable to CVE-2025-3248. After gaining code execution, the agent enumerated the host, searched for environment variables and sensitive files, dumped local application data, and probed internal services. It also interacted with an S3-compatible object store that used unchanged default credentials, then targeted files with names commonly associated with secrets, including .env and credentials.json.
From the initial host, the activity moved toward a production database server and a configuration service. This describes attempts against Nacos using known weaknesses, including the CVE-2021-29441 authentication bypass family, JWT-related weaknesses, and direct modification of backing database tables to create an administrator account. NVD describes CVE-2021-29441 as an authentication bypass in Nacos before 1.4.1 that relies on a spoofable User-Agent condition and may allow administrative actions.
The destructive phase focused on database-backed configuration. Captured payloads reportedly encrypted 1,342 configuration items with MySQL AES_ENCRYPT(), dropped original configuration and history tables, and created a ransom table named README_RANSOM. Later payloads reportedly escalated from configuration encryption to dropping whole database schemas.
This matters because the affected components are common in modern AI and cloud environments. Langflow-like tools can execute code, hold provider keys, reach internal services, and connect to object stores. If they are exposed to the internet, underpatched, and allowed broad egress, they become a useful entry point for a fast automated chain.
Activity by phase:
| Phase | Behavior | Useful telemetry |
| Initial access | Internet-facing Langflow service vulnerable to CVE-2025-3248. Requests targeted | Web and application logs, Langflow access logs, WAF events, process creation from the Langflow service user. |
| Host discovery | Host, user, process, service, and network enumeration after code execution. | Process creation, shell history where available, EDR telemetry, container runtime logs. |
| Credential discovery | Searches for environment variables, | File access events, sensitive file reads by web or workflow service accounts, secret manager audit logs. |
| Object store access | S3-compatible object store access with default credentials, including bucket listing and targeted file retrieval. | Object store audit logs, bucket listing followed by reads of secret-like files, access from unusual hosts. |
| Internal movement | Connection attempts toward configuration services and a production database host. | East-west network telemetry, database connection logs, Nacos administrative logs. |
| Persistence | Cron-based outbound HTTP beacon to attacker infrastructure every 30 minutes. | New cron entries created by application users, periodic outbound HTTP calls, unfamiliar /beacon paths. |
| Impact | Configuration encryption, table deletion, creation of | Database audit logs for |
Intrusion flow:

Intrusion flow for JADEPUFFER-like activity.
Assessment of LLM or agent involvement:
Researchers assess that JADEPUFFER was driven by an LLM-based agent rather than a conventional human-operated script. The assessment is supported by the behavior of the decoded payloads, the speed and specificity of corrective actions, the agent’s apparent handling of natural-language context, and the use of a Bitcoin address commonly seen in Bitcoin documentation examples. These indicators support an assessment of model-assisted or agent-driven tactical execution. They do not, on their own, prove that the full operation was autonomous or that a human operator had no role in tasking, infrastructure setup, target selection, or payment configuration.
| Indicator | What was observed | Confidence | Analyst assessment |
| Self-narrating payloads | Decoded payloads contained comments, function names, target prioritization, and explanatory strings describing the purpose of actions. This style is common in LLM-generated code and less typical of disposable attacker one-liners. | Medium | Consistent with LLM-generated payloads. Not sufficient by itself because human-written tooling can also contain verbose comments. |
| Fast correction after failure | The Nacos backdoor-admin sequence moved from failed login to a working corrective payload in 31 seconds. The fix changed the hash-generation approach, recreated the user, and verified access. | High | Strong indicator of automated or agent-assisted execution. The correction was specific to the failure mode, not a generic retry. |
| Adaptive payload behavior | The activity adjusted when responses did not match expectations, including adapting from an expected JSON response to XML parsing for MinIO and modifying destructive database commands after constraints interfered with drops. | High | Supports agentic execution because the payloads changed based on observed results. Human-assisted automation remains possible. |
| Natural-language context handling | The operation parsed free-text context presented by the target and acted on it in a way consistent with comprehension rather than simple pattern matching. | Medium | Supports LLM involvement, but the public report does not provide enough independent detail to treat this as conclusive on its own. |
| Example Bitcoin address | The ransom note used 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy, a canonical Pay-to-Script-Hash example address widely present in Bitcoin documentation and source material. | Low | Useful supporting context, but not reliable attribution by itself. The address may have been produced by the model from training data, or it may have been configured by the operator. It cannot distinguish between those explanations from the available data. |
Overall, this supports a medium-to-high confidence assessment that an LLM agent performed a large share of the tactical execution. The strongest match is the combination of self-narrating payloads, rapid failure diagnosis, and context-specific corrective actions. The weaker evidence is the Bitcoin address, which is notable but ambiguous. The safest wording is that JADEPUFFER appears to be agent-driven or agent-assisted, with human involvement in operational setup or supervision not excluded.
Defensively, this activity creates a useful detection opportunity. Model-generated payloads may expose intent through comments, descriptive function names, step labels, target-priority strings, and plan-act-observe-adjust behavior. Analysts should treat those artifacts as triage enrichment and behavioral context. They should not be used as standalone detection logic without supporting telemetry from process execution, network activity, authentication events, database actions, and scheduled-task creation.
Defender implications:
Known exposure becomes easier to operationalize: JADEPUFFER does not change the basic ransomware control set. It changes how quickly familiar weaknesses can be combined. A known vulnerable endpoint, an overprivileged runtime identity, or a forgotten internal admin service can be tested and chained without requiring a high-skill operator at every step.
Vulnerability management needs exposure context: Running a scanner is not enough. Prioritize vulnerabilities by internet exposure, reachable internal services, exploitability, privilege available to the compromised process, and the business value of downstream systems. A vulnerable AI workflow host with database credentials and open egress should move ahead of a higher-CVSS issue on an isolated asset.
Runtime telemetry is the warning layer: The chain created signals before the ransom table appeared: process launches by an application account, reads of secret-like files, object store listing, new cron entries, unexpected egress, configuration service changes, and destructive SQL. Teams should join those signals across application, cloud, identity, network, and database logs.
AI workflow servers should be treated as high-risk applications: AI workflow and automation platforms often execute code, call external connectors, hold provider tokens, and reach internal services. Security teams should classify them with the same care used for CI/CD, orchestration, and administrative tooling.
Securonix Threat Labs Summary:
Securonix Threat Labs recommends prioritizing exposed AI workflow systems, runtime secrets, configuration services, database administration paths, and egress controls.
| Priority | Action | What to do | Evidence to check |
| 1 | Inventory exposed AI workflow and automation services | Find internet-facing Langflow, workflow automation, agent runners, orchestration tools, admin panels, object stores, configuration services, and databases. Record owner, version, authentication, network exposure, egress path, and logging coverage. | External attack surface management, cloud inventory, CMDB, ingress controllers, WAF, firewall, DNS, and certificate logs. |
| 2 | Patch or remove CVE-2025-3248 exposure | Upgrade Langflow to a fixed release. Do not rely on patching alone. Remove public access to code validation and execution endpoints where possible. Langflow | Vulnerability scanner results, package versions, deployment manifests, access logs, WAF rules. |
| 3 | Move secrets out of runtime environments | Review | Secret manager logs, file access logs, EDR telemetry, git and artifact scans. |
| 4 | Harden object stores and configuration services | Remove default credentials, disable public exposure, rotate signing keys, enforce strong authentication, review admin users, and alert on direct role table changes. | Object store audit logs, Nacos or config-service logs, IAM changes, key rotation records. |
| 5 | Lock down database administration | Do not expose administrative database ports to the internet. Restrict source IPs, separate application and admin credentials, remove root-style application access, and alert on destructive SQL. | Database audit logs, network ACLs, identity logs, configuration management records. |
| 6 | Restrict egress | Application and AI workflow hosts should call only approved destinations and ports. Block direct outbound internet access where there is no business need. | Firewall, proxy, DNS, cloud security group, and service mesh telemetry. |
| 7 | Hunt before encryption | Start with AI workflow or application hosts that spawned | EDR, application logs, object store audit logs, cron files, configuration service logs, database audit logs. |
| 8 | Test restore paths | Verify protected backups for databases and configuration stores. Test recovery time objectives and confirm that backups cannot be deleted by the same identities used by production services. | Backup platform logs, restore test records, IAM permissions, immutable storage settings. |
Defensive control points:

Control stack for JADEPUFFER-like activity. The controls are ordinary, but the timing window is shorter.
Appendix A: Indicators of compromise:
| Type | Indicator | Notes |
| Source or C2 IP | 45[.]131[.]66[.]106 | Initial access and post-exploitation activity. |
| C2 path | hxxp://45.131.66[.]106:4444/beacon | cron beacon path, scheduled every 30 minutes. |
| Staging or exfil IP | 64[.]20[.]53[.]230 | Appears in attacker comments as a staging location. Treat the exfiltration claim with caution. The payload asserted exfiltration, but the reporting did not independently verify it. |
| Entry vulnerability | CVE-2025-3248 | Langflow unauthenticated code execution in versions before 1.3.0. |
| Related configuration service vulnerability | CVE-2021-29441 | Nacos authentication bypass before 1.4.1. |
| Ransom contact | e78393397[@]proton[.]me | Ransom table |
| Bitcoin address | 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy | Ransom address, this describes it as a widely used example address, so use surrounding context before treating matches as malicious. |
| Ransom table | README_RANSOM | Created in the database to hold the extortion message. |
| Persistence behavior | Cron entry running outbound HTTP beacon every 30 minutes | Hunt for new or modified cron entries created by web, AI workflow, or application service users. |
Appendix B: TTP mapping (MITRE ATT&CK):
| Tactic | Observed behavior | ATT&CK mapping |
| Initial access | Exploitation of public-facing AI workflow endpoint | T1190, Exploit Public-Facing Application |
| Execution | Base64-encoded Python payloads delivered through vulnerable code validation endpoint | T1059.006, Python |
| Discovery | Host, user, process, network, and service enumeration | T1082, T1057, T1049, T1046 |
| Credential access | Searches for environment variables, | T1552.001, Credentials in Files |
| Lateral movement | Reuse of discovered access to reach internal services and a production database host | T1078, Valid Accounts |
| Persistence | Scheduled outbound beacon through cron | T1053.003, Cron |
| Defense evasion | Deletion of local staging artifacts after credential collection | T1070, Indicator Removal |
| Privilege or service abuse | Creation of unexpected configuration service administrator account | T1098, Account Manipulation |
| Collection | Object store bucket listing and targeted retrieval of files likely to contain secrets | T1530, Data from Cloud Storage Object |
| Command and control | Periodic outbound HTTP beacon to attacker infrastructure | T1071.001, Web Protocols |
| Impact | Encryption of configuration records, deletion of original tables, creation of ransom table, and database drops | T1486, T1485, T1565.001 |
Appendix C: Detection artifacts and hunt ideas:
| Data source | Hunt condition |
| Web and application logs | Requests to |
| Process creation | AI workflow, web, or application service accounts spawning |
| File access | Reads of |
| Object store audit logs | Bucket listing followed by targeted reads of |
| Scheduled tasks | New cron entries created by application users, especially outbound HTTP calls, periodic beacons, or connections to unknown IPs. |
| Network telemetry | Outbound traffic from AI workflow or application servers to unfamiliar external IPs, uncommon ports, or |
| Configuration service logs | New administrator accounts, direct role table changes, authentication bypass indicators, signing key changes, or access from hosts that do not normally administer the service. |
| Database audit logs |
|
| Ransom artifacts | Database table named |
| Agentic behavior signals | Payloads with verbose comments explaining intent, target priority, or recovery logic. Treat this as triage enrichment, not a standalone detection. |
Appendix D: Mitigations:
| Area | Action |
| Exposure management | Inventory public-facing AI workflow tools, admin panels, object stores, configuration services, and databases. Remove public access unless a business owner can justify it. |
| Patch management | Upgrade Langflow to a fixed release for CVE-2025-3248. Validate that no vulnerable endpoint remains exposed after patching. |
| Configuration service hardening | Upgrade Nacos where applicable, rotate default or documented signing keys, remove internet exposure, enforce authentication, and review all admin users. |
| Secrets management | Remove provider keys, cloud tokens, and database credentials from process environments and local config files. Rotate any exposed secrets. |
| Identity and least privilege | Separate application and admin accounts. Do not allow AI workflow services or configuration systems to hold database root credentials. |
| Database controls | Enforce source restrictions, strong unique credentials, audit logging, separation of duties, and alerts for destructive SQL. |
| Egress filtering | Allow outbound traffic only to required destinations. Block direct outbound traffic from servers that have no business need for internet access. |
| Runtime monitoring | Collect process, file, network, scheduled task, configuration service, and database telemetry in one place. JADEPUFFER-like activity crosses all of these layers. |
| Backup and recovery | Keep protected backups, test restoration, and verify recovery time objectives. Treat payment as unreliable when the attacker may not have retained a working key. |
| AI agent governance | Give internal agents their own identities, scoped permissions, tool allow lists, action logs, approval gates for destructive actions, and a kill switch. |
References:
-
JADEPUFFER: Agentic ransomware for automated database extortion - https://www.sysdig.com/blog/jadepuffer-agentic-ransomware-for-automated-database-extortion
-
NVD, CVE-2025-3248 detail - https://nvd.nist.gov/vuln/detail/CVE-2025-3248
-
Langflow release 1.3.0 - https://github.com/langflow-ai/langflow/releases/tag/1.3.0
-
NVD, CVE-2021-29441 detail - https://nvd.nist.gov/vuln/detail/CVE-2021-29441
-
CISA Known Exploited Vulnerabilities catalog entry for CVE-2025-3248 - https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-3248

