Skip to main content
Blog

JADEPUFFER: Agentic Ransomware for Automated Database Extortion

  • July 7, 2026
  • 0 replies
  • 69 views
Dheeraj Kumar
Forum|alt.badge.img

Executive summary: 

Sysdig Threat Research reporting from July 2026 describes JADEPUFFER as an extortion operation in which an LLM-based agent appears to have performed many tactical intrusion steps after initial access: host discovery, credential collection, object store access, movement toward internal services, persistence, configuration encryption, and destructive database activity. 

The chain did not depend on a new exploit path. It combined an internet-facing Langflow server vulnerable to CVE-2025-3248, secrets available to the compromised process, weak object-store controls, access to a configuration service, and administrative database privileges. NVD describes CVE-2025-3248 as remote, unauthenticated code execution in the /api/v1/validate/code endpoint in Langflow versions before 1.3.0

The main operational issue is speed. Agentic automation can test known weaknesses, adjust after failed steps, and move between connected services before normal triage or patch processes catch up. Existing controls can still contain this activity, but they need to detect it earlier in the chain, before the actor or agent reaches configuration stores and databases. 

Recovery planning should assume that payment may not restore the affected data. The configuration encryption key was generated and printed once, but was not saved or transmitted. The realistic recovery path is protected backups, protected configuration copies, and tested restore procedures.

Risk 

Summary 

Primary risk 

Exposed AI workflow and automation services can become a direct path to secrets, internal services, configuration stores, and databases. 

Initial access 

Langflow CVE-2025-3248, an unauthenticated code execution issue in versions before 1.3.0

Impact 

Configuration encryption, table deletion, database schema drops, and creation of a README_RANSOM table. 

Recovery note 

The encryption key was generated and printed once, but not retained. Treat protected backups and tested restore as the practical recovery path.

 

JADEPUFFER path from exposed Langflow service to destructive database activity.


Attack overview: 

The operation began with an internet-facing AI workflow server vulnerable to CVE-2025-3248. After gaining code execution, the agent enumerated the host, searched for environment variables and sensitive files, dumped local application data, and probed internal services. It also interacted with an S3-compatible object store that used unchanged default credentials, then targeted files with names commonly associated with secrets, including .env and credentials.json.

From the initial host, the activity moved toward a production database server and a configuration service. This describes attempts against Nacos using known weaknesses, including the CVE-2021-29441 authentication bypass family, JWT-related weaknesses, and direct modification of backing database tables to create an administrator account. NVD describes CVE-2021-29441 as an authentication bypass in Nacos before 1.4.1 that relies on a spoofable User-Agent condition and may allow administrative actions.

The destructive phase focused on database-backed configuration. Captured payloads reportedly encrypted 1,342 configuration items with MySQL AES_ENCRYPT(), dropped original configuration and history tables, and created a ransom table named README_RANSOM. Later payloads reportedly escalated from configuration encryption to dropping whole database schemas.

This matters because the affected components are common in modern AI and cloud environments. Langflow-like tools can execute code, hold provider keys, reach internal services, and connect to object stores. If they are exposed to the internet, underpatched, and allowed broad egress, they become a useful entry point for a fast automated chain.


Activity by phase: 

Phase 

Behavior 

Useful telemetry 

Initial access 

Internet-facing Langflow service vulnerable to CVE-2025-3248. Requests targeted /api/v1/validate/code for code execution. 

Web and application logs, Langflow access logs, WAF events, process creation from the Langflow service user. 

Host discovery 

Host, user, process, service, and network enumeration after code execution. 

Process creation, shell history where available, EDR telemetry, container runtime logs. 

Credential discovery 

Searches for environment variables, .env files, credentials.json, provider keys, application records, and cloud tokens. 

File access events, sensitive file reads by web or workflow service accounts, secret manager audit logs. 

Object store access 

S3-compatible object store access with default credentials, including bucket listing and targeted file retrieval. 

Object store audit logs, bucket listing followed by reads of secret-like files, access from unusual hosts. 

Internal movement 

Connection attempts toward configuration services and a production database host. 

East-west network telemetry, database connection logs, Nacos administrative logs. 

Persistence 

Cron-based outbound HTTP beacon to attacker infrastructure every 30 minutes. 

New cron entries created by application users, periodic outbound HTTP calls, unfamiliar /beacon paths. 

Impact 

Configuration encryption, table deletion, creation of README_RANSOM, and later database schema drops. 

Database audit logs for AES_ENCRYPT(), CREATE TABLE, DROP TABLE, DROP DATABASE, and foreign-key checks disabled. 

Intrusion flow: 

Intrusion flow for JADEPUFFER-like activity.


Assessment of LLM or agent involvement: 

Researchers assess that JADEPUFFER was driven by an LLM-based agent rather than a conventional human-operated script. The assessment is supported by the behavior of the decoded payloads, the speed and specificity of corrective actions, the agent’s apparent handling of natural-language context, and the use of a Bitcoin address commonly seen in Bitcoin documentation examples. These indicators support an assessment of model-assisted or agent-driven tactical execution. They do not, on their own, prove that the full operation was autonomous or that a human operator had no role in tasking, infrastructure setup, target selection, or payment configuration. 

Indicator 

What was observed 

Confidence 

Analyst assessment 

Self-narrating payloads 

Decoded payloads contained comments, function names, target prioritization, and explanatory strings describing the purpose of actions. This style is common in LLM-generated code and less typical of disposable attacker one-liners.

Medium 

Consistent with LLM-generated payloads. Not sufficient by itself because human-written tooling can also contain verbose comments. 

Fast correction after failure 

The Nacos backdoor-admin sequence moved from failed login to a working corrective payload in 31 seconds. The fix changed the hash-generation approach, recreated the user, and verified access. 

High 

Strong indicator of automated or agent-assisted execution. The correction was specific to the failure mode, not a generic retry. 

Adaptive payload behavior 

The activity adjusted when responses did not match expectations, including adapting from an expected JSON response to XML parsing for MinIO and modifying destructive database commands after constraints interfered with drops. 

High 

Supports agentic execution because the payloads changed based on observed results. Human-assisted automation remains possible. 

Natural-language context handling 

The operation parsed free-text context presented by the target and acted on it in a way consistent with comprehension rather than simple pattern matching. 

Medium 

Supports LLM involvement, but the public report does not provide enough independent detail to treat this as conclusive on its own. 

Example Bitcoin address 

The ransom note used 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy, a canonical Pay-to-Script-Hash example address widely present in Bitcoin documentation and source material. 

Low 

Useful supporting context, but not reliable attribution by itself. The address may have been produced by the model from training data, or it may have been configured by the operator. It cannot distinguish between those explanations from the available data. 

Overall, this supports a medium-to-high confidence assessment that an LLM agent performed a large share of the tactical execution. The strongest match is the combination of self-narrating payloads, rapid failure diagnosis, and context-specific corrective actions. The weaker evidence is the Bitcoin address, which is notable but ambiguous. The safest wording is that JADEPUFFER appears to be agent-driven or agent-assisted, with human involvement in operational setup or supervision not excluded. 

Defensively, this activity creates a useful detection opportunity. Model-generated payloads may expose intent through comments, descriptive function names, step labels, target-priority strings, and plan-act-observe-adjust behavior. Analysts should treat those artifacts as triage enrichment and behavioral context. They should not be used as standalone detection logic without supporting telemetry from process execution, network activity, authentication events, database actions, and scheduled-task creation.


Defender implications: 

Known exposure becomes easier to operationalize: JADEPUFFER does not change the basic ransomware control set. It changes how quickly familiar weaknesses can be combined. A known vulnerable endpoint, an overprivileged runtime identity, or a forgotten internal admin service can be tested and chained without requiring a high-skill operator at every step. 

Vulnerability management needs exposure context: Running a scanner is not enough. Prioritize vulnerabilities by internet exposure, reachable internal services, exploitability, privilege available to the compromised process, and the business value of downstream systems. A vulnerable AI workflow host with database credentials and open egress should move ahead of a higher-CVSS issue on an isolated asset. 

Runtime telemetry is the warning layer: The chain created signals before the ransom table appeared: process launches by an application account, reads of secret-like files, object store listing, new cron entries, unexpected egress, configuration service changes, and destructive SQL. Teams should join those signals across application, cloud, identity, network, and database logs. 

AI workflow servers should be treated as high-risk applications: AI workflow and automation platforms often execute code, call external connectors, hold provider tokens, and reach internal services. Security teams should classify them with the same care used for CI/CD, orchestration, and administrative tooling. 


Securonix Threat Labs Summary: 

Securonix Threat Labs recommends prioritizing exposed AI workflow systems, runtime secrets, configuration services, database administration paths, and egress controls.

Priority 

Action 

What to do 

Evidence to check 

Inventory exposed AI workflow and automation services 

Find internet-facing Langflow, workflow automation, agent runners, orchestration tools, admin panels, object stores, configuration services, and databases. Record owner, version, authentication, network exposure, egress path, and logging coverage. 

External attack surface management, cloud inventory, CMDB, ingress controllers, WAF, firewall, DNS, and certificate logs. 

Patch or remove CVE-2025-3248 exposure 

Upgrade Langflow to a fixed release. Do not rely on patching alone. Remove public access to code validation and execution endpoints where possible. Langflow 1.3.0 includes a fix tied to authentication on code validation. 

Vulnerability scanner results, package versions, deployment manifests, access logs, WAF rules. 

Move secrets out of runtime environments 

Review .env files, workflow variables, provider keys, cloud tokens, database credentials, service account material, and application configuration files on AI or automation servers. Rotate exposed secrets and narrow permissions. 

Secret manager logs, file access logs, EDR telemetry, git and artifact scans. 

Harden object stores and configuration services 

Remove default credentials, disable public exposure, rotate signing keys, enforce strong authentication, review admin users, and alert on direct role table changes. 

Object store audit logs, Nacos or config-service logs, IAM changes, key rotation records. 

Lock down database administration 

Do not expose administrative database ports to the internet. Restrict source IPs, separate application and admin credentials, remove root-style application access, and alert on destructive SQL. 

Database audit logs, network ACLs, identity logs, configuration management records. 

Restrict egress 

Application and AI workflow hosts should call only approved destinations and ports. Block direct outbound internet access where there is no business need. 

Firewall, proxy, DNS, cloud security group, and service mesh telemetry. 

Hunt before encryption 

Start with AI workflow or application hosts that spawned python, python3, sh, bash, curl, wget, mysql, or object-store clients, then correlate with reads of .env or credentials.json, object-store listing, new cron entries, Nacos admin changes, and destructive SQL.

EDR, application logs, object store audit logs, cron files, configuration service logs, database audit logs. 

Test restore paths 

Verify protected backups for databases and configuration stores. Test recovery time objectives and confirm that backups cannot be deleted by the same identities used by production services. 

Backup platform logs, restore test records, IAM permissions, immutable storage settings. 

 

Defensive control points:

 Control stack for JADEPUFFER-like activity. The controls are ordinary, but the timing window is shorter. 

Appendix A: Indicators of compromise:

Type 

Indicator 

Notes 

Source or C2 IP 

45[.]131[.]66[.]106 

Initial access and post-exploitation activity. 

C2 path 

hxxp://45.131.66[.]106:4444/beacon 

cron beacon path, scheduled every 30 minutes. 

Staging or exfil IP 

64[.]20[.]53[.]230 

Appears in attacker comments as a staging location. Treat the exfiltration claim with caution. The payload asserted exfiltration, but the reporting did not independently verify it. 

Entry vulnerability 

CVE-2025-3248 

Langflow unauthenticated code execution in versions before 1.3.0. 

Related configuration service vulnerability 

CVE-2021-29441 

Nacos authentication bypass before 1.4.1. 

Ransom contact 

e78393397[@]proton[.]me 

Ransom table

Bitcoin address 

3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy 

Ransom address, this describes it as a widely used example address, so use surrounding context before treating matches as malicious. 

Ransom table 

README_RANSOM 

Created in the database to hold the extortion message. 

Persistence behavior 

Cron entry running outbound HTTP beacon every 30 minutes 

Hunt for new or modified cron entries created by web, AI workflow, or application service users. 

 

Appendix B: TTP mapping (MITRE ATT&CK):

Tactic 

Observed behavior 

ATT&CK mapping 

Initial access 

Exploitation of public-facing AI workflow endpoint 

T1190, Exploit Public-Facing Application 

Execution 

Base64-encoded Python payloads delivered through vulnerable code validation endpoint 

T1059.006, Python 

Discovery 

Host, user, process, network, and service enumeration 

T1082, T1057, T1049, T1046 

Credential access 

Searches for environment variables, .env, credentials.json, application database records, and provider keys 

T1552.001, Credentials in Files 

Lateral movement 

Reuse of discovered access to reach internal services and a production database host 

T1078, Valid Accounts 

Persistence 

Scheduled outbound beacon through cron 

T1053.003, Cron 

Defense evasion 

Deletion of local staging artifacts after credential collection 

T1070, Indicator Removal 

Privilege or service abuse 

Creation of unexpected configuration service administrator account 

T1098, Account Manipulation 

Collection 

Object store bucket listing and targeted retrieval of files likely to contain secrets 

T1530, Data from Cloud Storage Object 

Command and control 

Periodic outbound HTTP beacon to attacker infrastructure 

T1071.001, Web Protocols 

Impact 

Encryption of configuration records, deletion of original tables, creation of ransom table, and database drops 

T1486, T1485, T1565.001 

 

Appendix C: Detection artifacts and hunt ideas:

Data source 

Hunt condition 

Web and application logs 

Requests to /api/v1/validate/code from unknown sources, especially where the service should not be internet reachable. 

Process creation 

AI workflow, web, or application service accounts spawning python, python3, shell interpreters, network clients, object-store clients, or database clients

File access 

Reads of .env, credentials.json, cloud credential files, wallet material, application config files, or Terraform state from an AI workflow host. 

Object store audit logs 

Bucket listing followed by targeted reads of .env, credentials.json, backup files, model artifacts, or infrastructure state

Scheduled tasks 

New cron entries created by application users, especially outbound HTTP calls, periodic beacons, or connections to unknown IPs. 

Network telemetry 

Outbound traffic from AI workflow or application servers to unfamiliar external IPs, uncommon ports, or /beacon-style paths

Configuration service logs 

New administrator accounts, direct role table changes, authentication bypass indicators, signing key changes, or access from hosts that do not normally administer the service. 

Database audit logs 

CREATE TABLE followed by encryption functions, DROP TABLE, DROP DATABASE, SET GLOBAL FOREIGN_KEY_CHECKS=0, or sudden changes to configuration tables.

Ransom artifacts 

Database table named README_RANSOM, ransom contact strings, or cryptocurrency address reuse from the IOC table. 

Agentic behavior signals 

Payloads with verbose comments explaining intent, target priority, or recovery logic. Treat this as triage enrichment, not a standalone detection.

 

Appendix D: Mitigations: 

Area 

Action 

Exposure management 

Inventory public-facing AI workflow tools, admin panels, object stores, configuration services, and databases. Remove public access unless a business owner can justify it. 

Patch management 

Upgrade Langflow to a fixed release for CVE-2025-3248. Validate that no vulnerable endpoint remains exposed after patching. 

Configuration service hardening 

Upgrade Nacos where applicable, rotate default or documented signing keys, remove internet exposure, enforce authentication, and review all admin users. 

Secrets management 

Remove provider keys, cloud tokens, and database credentials from process environments and local config files. Rotate any exposed secrets. 

Identity and least privilege 

Separate application and admin accounts. Do not allow AI workflow services or configuration systems to hold database root credentials. 

Database controls 

Enforce source restrictions, strong unique credentials, audit logging, separation of duties, and alerts for destructive SQL. 

Egress filtering 

Allow outbound traffic only to required destinations. Block direct outbound traffic from servers that have no business need for internet access. 

Runtime monitoring 

Collect process, file, network, scheduled task, configuration service, and database telemetry in one place. JADEPUFFER-like activity crosses all of these layers. 

Backup and recovery 

Keep protected backups, test restoration, and verify recovery time objectives. Treat payment as unreliable when the attacker may not have retained a working key. 

AI agent governance 

Give internal agents their own identities, scoped permissions, tool allow lists, action logs, approval gates for destructive actions, and a kill switch. 


References: 

  1. JADEPUFFER: Agentic ransomware for automated database extortion - https://www.sysdig.com/blog/jadepuffer-agentic-ransomware-for-automated-database-extortion 

  1. NVD, CVE-2025-3248 detail - https://nvd.nist.gov/vuln/detail/CVE-2025-3248 

  1. Langflow release 1.3.0 - https://github.com/langflow-ai/langflow/releases/tag/1.3.0 

  1. NVD, CVE-2021-29441 detail - https://nvd.nist.gov/vuln/detail/CVE-2021-29441 

  1. CISA Known Exploited Vulnerabilities catalog entry for CVE-2025-3248 - https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-3248