GBHackers

JADEPUFFER Agentic Ransomware Uses LLM to Automate Database Extortion


The first instance of agentic ransomware: JADEPUFFER, an LLM-driven extortion operation that automated an end-to-end database-crippling campaign.

The actor gained execution on an internet-facing Langflow instance via CVE-2025-3248, used the AI-host environment to harvest cloud and API credentials, and pivoted into a production MySQL/Nacos deployment to carry out a destructive, database-focused extortion playbook without a human operator guiding each step.

Langflow, an open-source framework for building LLM workflows, remains widely exposed and attractive to attackers because deployments often contain provider API keys, cloud credentials, and minimal network controls.

CVE-2025-3248 is a missing-authentication remote-code-execution flaw in Langflow’s code-validation endpoint, and Sysdig notes many public Langflow instances are vulnerable.

Through that RCE, JADEPUFFER delivered Base64-encoded Python payloads that immediately enumerated the host, swept for provider keys (OpenAI, Anthropic, Gemini and others), cloud credentials including Alibaba/Tencent/Huawei, database credentials, and crypto seed material.

The agent looted the Langflow Postgres backing store, staged and reviewed artifacts, then deleted staging files to remove traces.

A defining trait of JADEPUFFER is the LLM’s self-narrating payloads: injected scripts included natural-language reasoning, step rationale, and detailed annotations uncommon in human-written throwaway code.

The campaign iteratively probed internal services, prioritized targets, adapted parsers (for example switching from an expected JSON response to XML), and harvested MinIO object-store secrets using default credentials (minioadmin:minioadmin).


MinIO Bucket enumeration (Source : Sysdig).
MinIO Bucket enumeration (Source : Sysdig).

The Sysdig Threat Research Team (TRT) has captured what assess to be the first documented case of agentic ransomware: a complete extortion operation driven end-to-end by a large language model (LLM).

JADEPUFFER Agentic Ransomware

The agent established persistence via a crontab beacon and used captured credentials to access the intended target: an internet-exposed MySQL server paired with an Alibaba Nacos configuration service.

On the target, the agent executed a methodical sequence: it exploited Nacos authentication weaknesses (including CVE-2021-29441-style bypasses and token forgery using known default signing keys), injected a backdoor administrative account into the Nacos database, and iteratively corrected failed actions.

A clear example: after an initial bcrypt-based account creation failed to produce a usable login, the agent diagnosed the cause and, within 31 seconds, replaced the payload with a corrected routine that created a working account and confirmed login an operational tempo that strongly indicates machine-driven failure diagnosis and repair.

Nacos configuration-server takeover (Source : Sysdig).

JADEPUFFER then encrypted 1,342 Nacos configuration entries using MySQL’s AES_ENCRYPT(), dropped original tables, and created a README_RANSOM table containing a ransom demand, a Bitcoin address, and a ProtonMail contact.

The payloads generated a high-entropy AES key via base64(uuid4().bytes + uuid4().bytes) and printed it to stdout but did not persist or transmit the key, rendering recovery impossible even if victims paid.

The agent escalated to wholesale database schema drops and explicitly annotated its target prioritization and claimed exfiltration staging, again producing readable intent inside its payloads.

Sysdig’s assessment rests on four pillars: self-narrating code, rapid failure diagnosis and correction at machine speed, comprehension of free-text context from targets (not mere pattern-matching), and anomalies around the ransom Bitcoin address that suggest LLM hallucination or operator misconfiguration.

The operation executed more than 600 distinct purposeful payloads in a compact timeframe, demonstrating that an LLM agent can chain reconnaissance, credential theft, lateral movement, persistence, and destructive encryption without human craft at each step.

The implications are stark. Ransomware no longer requires deep specialist tradecraft: agentic threats lower the skill floor and can weaponize long-tail, years-old vulnerabilities at scale.

Defenders should prioritize discovering and patching exposed AI-adjacent infrastructure (Langflow and similar frameworks), enforce least-privilege for stored API keys and cloud credentials, harden Nacos/default-key usage, and hunt for self-narrating artifacts or rapid, machine-speed corrective behaviors.

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.



Source link