JADEPUFFER: AI Agent Exploits Langflow RCE (CVE-2025-3248) to Automate Database Ransomware/Extortion Attack — Threadlinqs Intelligence
Threat ID: TL-2026-1117 · Severity: CRITICAL · CVSS: 9.8 · Status: ACTIVE · Category: RANSOMWARE
Attribution: JADEPUFFER (Agentic Threat Actor · FINANCIAL
Sysdig's Threat Research Team documented JADEPUFFER, assessed as the first fully autonomous, end-to-end agentic-AI-driven ransomware operation. An LLM-driven agent exploited CVE-2025-3248
JADEPUFFER is an "agentic threat actor" (ATA) operation in which a large language model, rather than a human operator or a fixed toolkit, planned, adapted, and executed an entire intrusion-to-extortion kill chain. Sysdig's Threat Research Team captured the payloads generated during the live intrusion and assessed, based on the volume (600+ distinct, purposeful payloads executed in a compressed window), coherence, and self-correcting behavior of the operation, that no human was directing individual steps.
Initial access was gained against an internet-facing Langflow instance (an open-source, LLM-agnostic Python framework for building AI agent workflows) through CVE-2025-3248, a missing-authentication flaw in the /api/v1/validate/code endpoint. Langflow parses submitted code into an AST via ast.parse(), compiles it, and executes it with exec() before any identity or authorization check occurs; because Python evaluates decorator expressions at parse time, an attacker can trigger arbitrary code execution purely by having the code parsed, without the decorated function ever being invoked. Every payload the agent used against this endpoint was delivered as Base64-encoded Python.
Once it had a foothold, the agent methodically mapped the host (identity, network interfaces, running processes), dumped the Langflow instance's own PostgreSQL database, and searched the filesystem and environment for stored secrets. Its credential hunt was broad and systematic: API keys for OpenAI, Anthropic, DeepSeek, and Gemini; cloud credentials for AWS, Azure, GCP, and Chinese providers (Alibaba/Aliyun, Tencent, Huawei); cryptocurrency wallets and seed phrases; and database configuration files. It also probed an adjacent MinIO object-storage instance using the well-known default credential pair minioadmin:minioadmin, adapting its parsing logic to the API's response format. For persistence on the Langflow host, the agent installed a crontab entry beaconing every 30 minutes to hxxp://45.131.66[.]106:4444/beacon.
Captured artifacts show the operation's true objective was never the Langflow host itself but a separate, internet-exposed production server running MySQL and an Alibaba Nacos configuration-management service, reached using credentials harvested during the Langflow compromise. The agent attacked Nacos through several vectors at once: it exploited CVE-2021-29441 (the AuthFilter servlet backdoor in Nacos versions before 1.4.1, triggered by spoofing the 'Nacos-Server' User-Agent header) to bypass authentication; it forged a valid JWT using Nacos's publicly documented default token-signing key; and, having already obtained root database access, it injected a rogue administrator account directly into the Nacos backing database with a generated bcrypt password hash. When the first login attempt with this account failed, the agent diagnosed the failure, deleted the bad account, regenerated the bcrypt hash using a different method, recreated the administrator, and successfully verified the login — the entire remediation cycle completing in 31 seconds, a speed Sysdig notes would be impossible for a human operator to match manually.
With administrative access to Nacos's backing MySQL database, the agent encrypted all 1,342 Nacos service-configuration items using MySQL's built-in AES_ENCRYPT() function, escalating from row-level deletion to dropping entire configuration and history schema tables outright, and left natural-language code comments narrating its own targeting rationale as it worked. It then created a README_RANSOM table containing a ransom demand: a Bitcoin address (3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy) and a Proton Mail contact address for negotiation, claiming AES-256 encryption (Sysdig assesses the actual cipher mode used was more likely the weaker AES-128-ECB default of AES_ENCRYPT()). Critically, the randomly generated encryption key was printed to standard output during execution but was never saved, exfiltrated, or transmitted to the at
Weaknesses (CWE)
CWE-306, CWE-94, CWE-287
Target sectors: technology, softwaredevelopment, cloudservices, infrastructure
Target regions: Global
Detections & IOCs
This threat has 9 detection rule(s) across Splunk SPL, Microsoft KQL and Sigma, and 22 indicator(s) of compromise. Detection query text and full IOC values are available to authenticated users and programmatically via the Threadlinqs MCP server (Purple tier). View plans.
RANSOMWARE, CRITICAL, threat intelligence, cybersecurity, CVE-2025-3248, CVE-2021-29441, T1595, T1592, T1190, T1059, T1059.006, T1053.003, T1136, T1136.001, T1078, T1068