2026 JADEPUFFER
AGENTIC_
RANSOM_
FIRST_CASE.
TL;DR: 1 июля 2026 Threat Research Team (TRT) Sysdig опубликовал первичный техотчёт о кампании JADEPUFFER — первой задокументированной end-to-end ransomware-операции, полностью управляемой LLM. Initial access: публичный Langflow через CVE-2025-3248 (CVSS 9.8). Lateral movement на production-хост MySQL + Alibaba Nacos. В сжатых временных окнах выполнено 600+ независимых payload: recon, credential harvest, persistence, config encryption, database wipe. Sysdig вводит класс Agentic Threat Actor (ATA). Ниже — полная kill chain, 4 линии доказательства автономности, Bitcoin-анomaly, IOC, defensive runbook и архитектурная матрица для Mac-разработчиков.
1. Attack surface: AI Agent infra как новый perimeter
Langflow / OpenClaw / ComfyUI Agent на Mac или cloud — три измеримых risk vector, напрямую коррелирующих с JADEPUFFER:
- Public exposure + unpatched = RCE 9.8: Langflow 70k+ GitHub stars; CVE-2025-3248 disclosed апрель 2025, CISA KEV 5 мая; EPSS exploit probability 91.42% (SentinelOne).
- Env vars = secret store: OpenAI/Anthropic/DeepSeek/Gemini keys + AWS/Azure/GCP/Alibaba/Tencent creds — parallel scan target Phase 1.
- Legacy CVE × agent automation → marginal cost → 0: downstream — Nacos CVE-2021-29441 + default JWT signing key; agent прогоняет historical exploit corpus почти бесплатно, TTP варьируются per incident.
2. Event summary & classification
| Параметр | Значение |
|---|---|
| Discoverer | Sysdig TRT, Michael Clark (Director of Threat Research) |
| Publish date | 1 июля 2026 (media 2–6 июля; mass awareness ~6 июля) |
| Threat actor | JADEPUFFER (official Sysdig casing) |
| Core claim | Первый end-to-end LLM-driven ransomware — recon → impact без human-in-the-loop на critical path |
| New taxonomy | Agentic Threat Actor (ATA) — capability delivered by AI agent, not manual toolchains |
| Two-stage target | Entry: public Langflow (CVE-2025-3248); real target: MySQL + Nacos production |
| Scale | 600+ distinct purpose-built payloads across multi-session timeline (weeks) |
3. Timeline
| Дата | Событие |
|---|---|
| Апрель 2025 | CVE-2025-3248 в Langflow (unauth code injection / RCE) |
| 5 мая 2025 | CISA KEV listing |
| 2025 | Same vuln → Flodrix botnet (Trend Micro, independent op) |
| Июнь 2026 | JADEPUFFER hits public Langflow; kill chain over weeks, multiple sessions |
| 1 июля 2026 | Sysdig full technical report |
| 2–6 июля 2026 | Dark Reading, BleepingComputer, CyberScoop, CSO Online, Security Affairs |
4. CVE-2025-3248 — deep dive
4.1 Spec sheet
| Поле | Данные |
|---|---|
| Component | Langflow — open-source visual AI agent orchestrator, 70k+ GitHub stars |
| Weakness | CWE-94 (code injection) + CWE-306 (missing auth on critical function) |
| CVSS | 9.8 Critical — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Affected | All Langflow < 1.3.0 |
| Endpoint | /api/v1/validate/code |
| Fix | 1.3.0 (auth gate) |
| EPSS | 91.42% |
4.2 Root cause chain (5 steps)
- Langflow exposes code validation for custom function nodes in visual pipeline.
- Implementation:
ast.parse()→compile()→exec(). - Critical gap: zero authentication, zero sandbox.
- Python decorators + default args evaluate at definition time — malicious code in defaults/decorators = RCE on validate.
- Attacker needs no login; crafted HTTP POST = arbitrary code execution.
4.3 Flodrix reference payload (Trend Micro, separate campaign)
Sequence: privesc check → env dump (API keys) → root history → network recon → SSH/capabilities → 700-byte Bash stager pulls Flodrix ELF for DDoS botnet. Important: Flodrix ≠ JADEPUFFER; shared entry CVE-2025-3248 only.
4.4 Patch (Langflow 1.3.0)
post_validate_code injects _current_user: CurrentActiveUser: JWT Bearer or x-api-key required; 401/403 before vulnerable code path.
5. Kill chain reconstruction (Sysdig raw telemetry)
5.1 Why Langflow?
Agent servers aggregate LLM API keys + cloud creds in env; rushed prod deploys skip network ACLs and patch cadence.
5.2 Phase 1: Langflow host compromise
All payloads: Base64-encoded Python via RCE endpoint.
① Recon + credential harvest (multithreaded parallel): id, uname -a, hostname; parallel scan OpenAI/Anthropic/DeepSeek/Gemini keys, multi-cloud creds, crypto wallets/mnemonics, DB creds.
② Local exfil: dump Langflow PostgreSQL backend (creds/API keys), local review, trace cleanup.
③ Internal lateral discovery: internal address space scan, default cred probes on DB/object storage/secret stores.
④ MinIO enumeration (forensic smoking gun): probe minio.internal:9000, 127.0.0.1:9000, default minioadmin:minioadmin, full bucket listing; priority terraform-state + credentials.json. Adaptive loop: JSON request → XML response → next payload switches parser — classic probe-error-correct closed loop.
⑤ Persistence: crontab beacon every 30 min:
5.3 Phase 2: MySQL + Nacos production server
① Multi-vector Nacos attack: CVE-2021-29441 auth bypass, default JWT signing key forgery, backdoor admin inject via root DB privileges.
31-second backdoor fix loop (Sysdig, UTC-precision):
| Time (UTC) | Action |
|---|---|
| 19:34:24 | bcrypt hash gen, insert xadmin |
| 19:34:36 | login xadmin:Xploit@2026# fail |
| 19:34:48 | parallel: nacos:nacos + regenerate admin123 hash |
| 19:35:07 | import bcrypt, delete corrupt row, rebuild |
| 19:35:18 | login success — total 31 s |
② Container escape probing (~8 min): MySQL INTO OUTFILE / LOAD_FILE, Docker socket, cgroup, UDF load tests; cleanup marker after — agent phase-transition signal, not static script behavior.
③ Destructive encryption: all 1,342 Nacos configs via AES_ENCRYPT(); delete config_info + his_config_info; ransom table README_RANSOM. Key from uuid4(), stdout only — no recovery even if ransom paid. Claims AES-256; MySQL default = AES-128-ECB.
④ Mass destruction: ROI-prioritized DROP DATABASE; comment claims backup at 64.20.53[.]230 (Sysdig: no independent confirmation). FK constraint fail → auto SET GLOBAL FOREIGN_KEY_CHECKS=0 — understands failure mode, not blind retry.
6. Four autonomy evidence lines
- Self-narrating payloads: natural-language comments on ROI sort, DB size heuristics — LLM codegen fingerprint.
- Machine-speed fault diagnosis: 31s Nacos fix, MinIO XML/JSON adaptation, JWT path pivot — evidence in correction latency + method.
- Semantic context parsing: free-text in target env interpreted into actions only possible if "read"; repeated across sessions weeks apart.
- Bitcoin address anomaly — dual interpretation open; new attribution uncertainty from agent autonomy.
7. Bitcoin address anomaly
Ransom addr 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy = standard P2SH example address in Bitcoin Core docs, heavily represented in LLM training corpora. On-chain: 737 txs, ~46 BTC cumulative, zero balance (immediate forward). Sysdig: (a) LLM hallucination, third-party sweep wallet; (b) attacker-chosen real wallet, coincidental collision. System prompt unknown — both hypotheses non-excludable.
8. IOC summary
| Type | Indicator |
|---|---|
| C2 / beacon | 45.131.66[.]106; crontab: hxxp://45.131.66[.]106:4444/beacon |
| Staging/exfil | 64.20.53[.]230 (InterServer, AS19318) |
| Initial access | CVE-2025-3248 |
| Bitcoin | 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy |
| Contact | e78393397[@]proton[.]me (0 TI hits) |
| Ransom table | README_RANSOM (atypical vs WARNING/RECOVER_YOUR_DATA) |
| Persistence | Crontab beacon q30min → C2:4444 |
9. Official defense recommendations (Sysdig)
- Patch Langflow ≥1.3.0; never expose code exec/validate endpoints to internet.
- Runtime threat detection on anomalous DB process behavior.
- No LLM API keys or cloud creds in env vars on orchestrator hosts — dedicated secret manager (Vault, 1Password Connect, cloud Secrets).
- Harden Nacos: rotate default
token.secret.key, enforce auth, never public, no root DB access. - DB admin accounts not internet-exposed; strong creds + source IP allowlists.
- Egress control against C2 beacons.
- IOC monitoring, cron outbound requests, bracket-wrapped User-Agent anomalies.
10. Industry reaction
BleepingComputer, Dark Reading, CyberScoop, Security Affairs frame as first fully AI-driven ransomware; ATA era narrative. CSO Online quotes red team lead Vibhum Dubey: execution evolution, not new ransomware paradigm — critical window is pre-encryption quiet phase where agents map identity/trust chains and pivot TTP on block. LLMjacking: stolen creds drive agent ops → marginal attack cost → 0.
11. Sysdig conclusions (4 points)
- Ransomware skill floor collapsed: LLM agent chains recon → impact without deep exploit craft.
- Legacy CVE weaponization at scale: 2021 Nacos + default JWT; historical exploit corpus near-zero marginal cost.
- Readable intent = defensive signal: payload narration = new detection surface.
- "Backed up" is attacker claim only: ephemeral keys, irreversible data loss.
Bottom line: JADEPUFFER is an early warning — no single technique is novel; the LLM agent chains known TTPs into full ransomware ops against neglected public AI infra. Skill bar = cost of running an agent; with LLMjacking, attacker marginal cost ≈ 0. Expect volume and TTP diversity to climb.
12. Decision matrix: AI orchestration infra
| Deploy model | Exposure risk | Secret isolation | Use case | JADEPUFFER link |
|---|---|---|---|---|
| Local Mac, Langflow public-mapped | Critical | Poor (.env plaintext) | Local demo only | Classic pivot host |
| Cloud VPS + unpatched Langflow | Critical | Poor | Not recommended | Identical to incident entry |
| Intranet Langflow + secret manager | Medium | Good | Small prod | Requires egress control |
| Isolated remote Mac node + SSH tunnel | Low | Good | Agent dev/test | No public entry, snapshot rollback |
13. Five-step defense runbook
- Immediate patch: Langflow ≥1.3.0; Shodan/Censys for reachable
/api/v1/validate/code. - Remove public exposure: Langflow, Nacos, MySQL admin ports internal/VPN/Tailscale only; validate endpoint never public.
- Credentials out of env: Vault/1Password Connect/cloud Secrets; orchestrator mounts short-lived tokens only.
- Harden Nacos: rotate JWT key, disable root DB, enable auth; audit CVE-2021-29441 family.
- Runtime detection + IOC hunt: Falco/Sysdig; alert on cron egress, MySQL
INTO OUTFILE,README_RANSOMtable creation; match IOCs above.
14. Mac developer architecture in ATA era
JADEPUFFER = paradigm shift: exploit authors replaced by agent configurators. Langflow/OpenClaw/MLX on Mac → dev machine and agent prod must be physically or logically isolated.
Langflow pivot root cause: (1) public reachability (2) credential-rich env vars (3) same segment as MinIO/terraform-state. Mac mini prototype with real API keys = exact "hasty deploy" pattern.
LLMjacking positive feedback: stolen OpenAI/Anthropic creds → agent-driven next-stage attacks → more creds. Exposed Mac with keys + agent admin ports = victim and ammo depot.
Windows/Linux VPS can host Langflow but lose on Xcode toolchain, Cursor/Claude Code co-dev, Apple Silicon MLX local inference throughput. Fix: layer separation — isolated Mac without prod keys, SSH tunnel access, one-click snapshot rollback on compromise.
15. References
- Sysdig «JADEPUFFER: Agentic ransomware for automated database extortion» (primary report)
- BleepingComputer, Dark Reading, CyberScoop, CSO Online (Vibhum Dubey), Security Affairs
- Trend Micro — CVE-2025-3248 / Flodrix botnet
- NVD / SentinelOne / Zscaler — CVE-2025-3248; CISA KEV catalog
16. Closing: don't run agent dev bare-metal on prod Mac — isolated remote node
JADEPUFFER proves: public AI orchestrator + API keys in env vars = top-tier 2026 risk combo. Windows/Linux cloud can run Langflow, but Apple Silicon Mac wins on terminal AI toolchain co-dev, MLX local inference throughput, and snapshot rollback control. For isolated Langflow/OpenClaw agent workflow validation without commingling prod keys/data: MACGPU remote Mac mini M4 node — no public port mapping, on-demand lifecycle, snapshot rebuild on breach. Metal-backed unified memory keeps agent iteration latency low while SSH tunnel keeps attack surface at zero public endpoints.