Contents

JADEPUFFER Is the First Ransomware Attack Run Entirely by an AI Agent

 

Ethical Hacking Complete Course Zero to Expert

Hack like black hat hackers. Penetration testing, Kali Linux, WiFi and web hacking, and the hacker mindset behind it.

→ Take the full course
 
Contents

JADEPUFFER is the first documented ransomware operation run by an AI agent. The agent broke in, stole credentials, jumped to a second target, encrypted a production database, and destroyed data. This is an agentic threat actor: an attacker whose attack power comes from an AI agent rather than from a human toolkit.

Researchers documented something that changes what a ransomware attack can look like. Ransomware has always needed a person somewhere in the loop. Someone picks the target, tests the stolen logins, and patches up the code when it breaks. This time a large language model did all of it.

The technical side is the interesting part, and it is simpler than it sounds once you follow the steps.

It started with a tool called Langflow. Langflow is an open-source program that lets people build AI workflows by dragging boxes around and wiring them together, popular with teams putting AI features together quickly. This server was sitting on the open internet, and it had a hole in it.

The flaw is tracked as CVE-2025-3248. It let anyone send code to the server and run it, no login needed. The people who rate these things scored it 9.8 out of 10, about as bad as it gets. It landed on the US government’s list of flaws that attackers are actively using back in May 2025, and a fix has been out for more than a year.

So why go after a Langflow server? Because it sits right next to a company’s AI setup, which means it usually holds the most sensitive logins in the building. API keys, cloud passwords, database logins. Often with little protecting them.

Once inside, the agent went looking for anything valuable. Login keys for AI services like OpenAI and Anthropic. Cloud passwords from providers in China and the West. Database logins. Even the secret phrases that unlock crypto wallets.

It emptied out Langflow’s own database. Then it opened the file storage, which still ran on the factory login, username minioadmin and password minioadmin, never changed. It grabbed the files with the obvious names, the ones like credentials.json and .env that hold a system’s secrets.

Then it made sure it could come back. It left behind a scheduled task that quietly checks in with the attacker’s server every 30 minutes.

From there the agent left the first machine and went after its main target. A second machine running a MySQL database and a system called Nacos. It logged into that database as root, the top-level account with full control, and where it got those root credentials is unclear, because they were not sitting on the first machine.

Nacos keeps a list of the services a company runs and how each one is set up. Take it over, and you control how the application behaves. The agent broke in three ways at the same time.

It used an old flaw, CVE-2021-29441, that lets you skip the login by faking a single line in your request, a header. It also forged its own access pass. Nacos signs each pass with a secret key so it knows the pass is genuine, but that key has been public since 2020 and plenty of setups never changed it. So the agent signed a pass for itself and walked in. And it slipped a hidden admin account straight into the database.

This next part gave it away. The agent tried to make itself a Nacos admin account. It checked the login, saw it failed, and 31 seconds later sent a fixed version: delete the broken account, build the password a different way, make the admin again, confirm the login works.

A person reads an error, works out what went wrong, and writes a clean fix. That takes longer than half a minute. This was machine speed. And it did not stop at one fix. Across the break-in the agent fired off more than 600 separate, deliberate payloads in a short window, far more than a person types by hand.

Two more things pointed the same way. First, the code talked to itself. The commands the agent sent were full of plain notes explaining why it did each step, which database was worth the most, what to grab first. Someone writing quick throwaway attack code does not leave notes like that. A language model does it without being asked.

And then the Bitcoin address. The ransom note asked for payment to a Bitcoin address, 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy. That exact address is the example one from Bitcoin’s own developer docs and its core code. It shows up there so often that AI models see it again and again while they learn, and it sticks. So the address in the note could be the model reaching for the one it had seen a thousand times.

But it is not that simple. That address is a live wallet. It has seen 737 transactions and taken in around 46 Bitcoin over the years, and each deposit moved straight out again. The balance today is zero. So there are two ways to read this. Either the model pulled a familiar address from its memory, and the wallet belongs to someone else who sweeps up payments sent to it by mistake. Or the attacker set it up on purpose, with a wallet they own that happens to be the famous example. The researchers cannot tell which, because they never saw how the agent was set up.

Which model did the work is not known either, because its brain ran somewhere they could not see.

The ransom note leaves another odd trail. The contact email, the proton address, has no history anywhere. Threat reports, victim forums, abuse databases, it turns up in none of them. Human ransomware crews reuse the same contact across thousands of victims. This one came from nowhere. The name of the ransom table is off in the same way. The agent called it README_RANSOM, while the crews behind MySQL ransomware tend to use names like WARNING or RECOVER_YOUR_DATA that repeat across campaigns. README_RANSOM matches none of them. The setup looks put together on the spot, not lifted from a crew’s usual toolkit.

And this is the part that matters for the victim. Before it destroyed anything, the agent checked whether it could break out of its container, the isolated environment the database was running inside. Then it went to work.

It locked all 1,342 Nacos settings with encryption and deleted the originals. The ransom note brags it used AES-256, strong encryption. The kind it used is weaker than that. The note oversells its own work.

The key that could unlock the data was created, shown on the screen once, and then thrown away without being saved or sent anywhere. The agent had no memory to keep it and no plan to hold onto it. So even if the company pays, they do not get the data back, because the key is gone. This does not hold data for ransom. It destroys it.

The note even claimed the data had been backed up to another server. Researchers found no sign that any backup ever happened. The agent said one thing, the evidence showed another.

This did not come out of nowhere. Researchers have watched AI agents move closer to this for months. In May, one chained a single flaw into a company’s internal database in four steps, though the model steering it ran out of sight. In June, an attacker used an exposed AI model server as the brain behind an automated hacking tool, and that time researchers could watch the thing being built.

There is a money side to this too. Back in 2024, researchers gave a name to a trick where attackers steal someone’s AI login and run models on that person’s bill: LLMjacking. It can run up tens of thousands of dollars a day, and stolen access gets sold on criminal markets. So if an agent like this one runs on stolen AI power, it costs the attacker close to nothing.

Running ransomware used to take skill at each step. Now it mostly takes an agent.

There is one upside here. Because the agent writes out what it is doing as it goes, defenders can read its plan right there in the code. A human attacker works in silence. This one leaves a running description of its own attack behind, and that gives defenders something new to catch it with.

What to do about it

If you run any of this, start here.

  • โ†’ Update Langflow to 1.3.0 or later, which closes CVE-2025-3248
  • โ†’ Keep Langflow and other AI tools off the open internet. Put them behind a login and a firewall
  • โ†’ Give each stored API key and cloud login only the access it needs, so one stolen key does not open the rest
  • โ†’ Change the Nacos default signing key and patch CVE-2021-29441
  • โ†’ Change default logins like minioadmin:minioadmin wherever they still exist
  • โ†’ Watch for fixes that happen at machine speed, and for command output that reads like someone thinking out loud. Both point to an agent

To check which Langflow version you are running:

1
pip show langflow

Anything below 1.3.0 needs updating.

Indicators to block and hunt for:

  • โ†’ C2 server 45.131.66[.]106, with a beacon to port 4444 every 30 minutes
  • โ†’ Staging server 64.20.53[.]230, the backup location the agent claimed but researchers could not confirm
  • โ†’ A database table named README_RANSOM
  • โ†’ Contact address e78393397[@]proton[.]me
  • โ†’ Bitcoin address 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy

My ethical hacking course takes you from zero into a field where the people who understand both attack and defense are the ones getting hired. The tools change, the fundamentals do not. The hacker mindset. This is the skill that gives you a future in a field that keeps moving: โ†’ Join my complete ethical hacking course

Hacking is not a hobby but a way of life.

Sources: Sysdig Threat Research Team | NVD CVE-2025-3248

 
NEWSLETTER

Stay updated

Get the latest posts in your inbox every week. Ethical hacking, security news, tutorials, and everything that catches my attention. If that sounds useful, drop your email below.

By Bulls Eye

Jolanda de koff โ€ข email โ€ข donate

My name is Jolanda de Koff and on the internet, I'm also known as Bulls Eye. Ethical Hacker, Penetration tester, Researcher, Programmer, Self Learner, and forever n00b. Not necessarily in that order. Like to make my own hacking tools and I sometimes share them with you. "You can create art & beauty with a computer and Hacking is not a hobby but a way of life ...

I โ™ฅ open-source and Linux