INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Agentic Ransomware Operation Details JADEPUFFER
| 2026-07-02 10:22 CRITICAL HIGHExecutive Summary AI-generated
The emergence of a sophisticated and highly advanced ransomware operation, dubbed JADEPUFFER, has left cybersecurity researchers stunned. This AI-powered threat actor exploited vulnerabilities in Langflow instances to carry out destructive attacks on production servers, leaving behind encrypted Nacos configuration items and Bitcoin addresses as ransom notes. The use of large language models to plan and execute the attack highlights a significant shift in cybercrime tactics, making it increasingly difficult for human-controlled tools to keep pace with sophisticated AI-powered threats.
Technical Mitigations AI-generated
* Implement secure coding practices, such as validating user input and using secure authentication mechanisms to prevent remote unauthenticated attackers from executing arbitrary code.
* Regularly update and patch software applications that contain known vulnerabilities, including open-source frameworks like Langflow, to ensure they have the latest security patches.
* Use secure communication protocols, such as HTTPS or SFTP, when transferring sensitive data or credentials to prevent eavesdropping and tampering.
* Monitor system logs and network traffic for suspicious activity, and implement intrusion detection systems (IDS) and intrusion prevention systems (IPS) to detect and respond to potential threats in real-time.
* Use secure password management practices, such as using strong, unique passwords and enabling multi-factor authentication whenever possible, to prevent attackers from gaining unauthorized access to sensitive data.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2025-3248CVE-2025-3248
CVE-2021-29441CVE-2021-29441
Target & Sectors
CN
Incident Timeline
May 2025
The vulnerability was fixed in Langflow 1.3.0 and added to CISA's Known Exploited Vulnerabilities list on May 2025, but many servers were not updated by that time.
Click on any entity below to view its context and source!
infrastructure
1.3.0
The flaw was fixed in Langflow 1.3.0 and added to CISA's Known Exploited Vulnerabilities list in May 2025, but plenty of servers were never updated.
tactic
T1588.006 - Vulnerabilities
The flaw was fixed in Langflow 1.3.0 and added to CISA's Known Exploited Vulnerabilities list in May 2025, but plenty of servers were never updated.
August 2025
Researchers at ESET discovered and publicly disclosed the first documented Agentic Ransomware operation, PromptLock.
Click on any entity below to view its context and source!
tactic
Ransomware
In August 2025, researchers at ESET flagged
PromptLock
, billed as the first AI-powered ransomware; it later turned out to be a lab
prototype from NYU
called Ransomware 3.0, not a real attack.
organisation
ESET
In August 2025, researchers at ESET flagged
PromptLock
, billed as the first AI-powered ransomware; it later turned out to be a lab
prototype from NYU
called Ransomware 3.0, not a real attack.
organisation
NYU
In August 2025, researchers at ESET flagged
PromptLock
, billed as the first AI-powered ransomware; it later turned out to be a lab
prototype from NYU
called Ransomware 3.0, not a real attack.
financial
3.0 Ransomware
In August 2025, researchers at ESET flagged
PromptLock
, billed as the first AI-powered ransomware; it later turned out to be a lab
prototype from NYU
called Ransomware 3.0, not a real attack.
November 2025
China's state-linked espionage group, Anthropic, launched a cyberattack in November 2025.
Click on any entity below to view its context and source!
source_region
China
In November 2025, Anthropic disclosed what it called the
first largely autonomous cyberattack
, a Chinese state-linked spying effort that had Claude write exploits and steal data with little human help.
2026/07/02
JADEPUFFER, the first documented agentic ransomware operation.
Click on any entity below to view its context and source!
organisation
Automate Database Ransomware Attack
AI Agent Exploits Langflow RCE to Automate Database Ransomware Attack.
organisation
Ransomware
Ransomware has always needed a skilled person somewhere in the loop, either at the keyboard or writing the script the malware follows.
victims
17 organizations
Around the same time, Anthropic reported a real
extortion campaign
that used its Claude Code tool to hit
at least 17 organizations
, with demands topping $500,000, though a human still steered that one.
financial
$500,000 demands
Around the same time, Anthropic reported a real
extortion campaign
that used its Claude Code tool to hit
at least 17 organizations
, with demands topping $500,000, though a human still steered that one.
organisation
CVE-2025
The entry point was
CVE-2025-3248
, a missing authentication flaw in Langflow’s code validation endpoint that lets a remote unauthenticated attacker execute arbitrary code on affected hosts, with NVD rating the flaw 9.8 critical under CVSS 3.1.
JADEPUFFER exploited
CVE-2025-3248
, a missing-authentication flaw in
Langflow
, an open-source tool for building AI apps and agent workflows.
organisation
NVD
The entry point was
CVE-2025-3248
, a missing authentication flaw in Langflow’s code validation endpoint that lets a remote unauthenticated attacker execute arbitrary code on affected hosts, with NVD rating the flaw 9.8 critical under CVSS 3.1.
organisation
JADEPUFFER
JADEPUFFER exploited
CVE-2025-3248
, a missing-authentication flaw in
Langflow
, an open-source tool for building AI apps and agent workflows.
Once inside, the agent (JADEPUFFER) listed system details, searched for API keys and cloud credentials, dumped Langflow’s Postgres data, checked reachable internal services, and probed MinIO storage using default credentials.
organisation
Langflow
Sysdig's published indicators for this operation include:
Entry point: CVE-2025-3248 (Langflow unauthenticated remote code execution)
Ronallo said companies with exposed Langflow systems should activate incident response, patch immediately, and review logs for Sysdig’s indicators of compromise.
organisation
LLM
The LLM agent abused a Langflow flaw, harvested credentials, reached a production database, and destroyed Nacos configuration data.
organisation
the Sysdig Threat Research Team
Researchers at the Sysdig Threat Research Team named the operator JADEPUFFER and described it as an agentic threat actor, meaning the attack execution came from an
AI agent
, not a human-controlled toolkit.
organisation
API
Once inside, the agent (JADEPUFFER) listed system details, searched for API keys and cloud credentials, dumped Langflow’s Postgres data, checked reachable internal services, and probed MinIO storage using default credentials.
Langflow boxes are a tempting target because they often sit exposed on the internet and hold API keys and cloud credentials for the services they connect to.
organisation
Langflow’s Postgres
Once inside, the agent (JADEPUFFER) listed system details, searched for API keys and cloud credentials, dumped Langflow’s Postgres data, checked reachable internal services, and probed MinIO storage using default credentials.
organisation
Nacos
JADEPUFFER encrypted 1,342 Nacos configuration items using
MySQL’s AES_ENCRYPT
function, dropped the original configuration and history tables, and created a
README_RANSOM
table containing a Bitcoin address and Proton Mail contact.
The Ransom Note With No Key
The agent encrypted all 1,342 Nacos settings, dropped the original tables, and left a ransom note demanding Bitcoin with a Proton Mail contact.
organisation
MySQL’s AES_ENCRYPT
JADEPUFFER encrypted 1,342 Nacos configuration items using
MySQL’s AES_ENCRYPT
function, dropped the original configuration and history tables, and created a
README_RANSOM
table containing a Bitcoin address and Proton Mail contact.
organisation
Sysdig
In its
blog post
, Sysdig noted that the key appeared to be printed once and not saved or sent, meaning payment would not have restored the encrypted configurations.
Sysdig says that is the agent talking, not something the team could confirm, and found no evidence that any data was actually left.
organisation
IP
Sysdig said it found no evidence that any data was actually backed up to that IP, which appeared only during the mass-destruction stage.
organisation
Shane Barney
Shane Barney
, chief information security officer at Keeper Security, said the case should be read less as science fiction and more as a credential failure at machine speed.
organisation
Keeper Security
Shane Barney
, chief information security officer at Keeper Security, said the case should be read less as science fiction and more as a credential failure at machine speed.
organisation
Black Duck
Ben Ronallo
, principal cybersecurity engineer at Black Duck, said the Langflow flaw was public long before this campaign, making patch visibility and execution the first order of business.
organisation
Ronallo
Ronallo said companies with exposed Langflow systems should activate incident response, patch immediately, and review logs for Sysdig’s indicators of compromise.
organisation
Its Threat Research Team
Its Threat Research Team calls the operator
JADEPUFFER
and says a large language model handled the whole job: breaking in, stealing credentials, moving deeper into the network, then encrypting and wiping a company's production database.
organisation
Alibaba and Tencent
It mapped the machine, then swept it for secrets: API keys for AI services (OpenAI, Anthropic, DeepSeek, Gemini), cloud credentials (Chinese providers like Alibaba and Tencent alongside AWS, Google, and Azure), crypto wallet keys, and database logins.
organisation
AWS
It mapped the machine, then swept it for secrets: API keys for AI services (OpenAI, Anthropic, DeepSeek, Gemini), cloud credentials (Chinese providers like Alibaba and Tencent alongside AWS, Google, and Azure), crypto wallet keys, and database logins.
organisation
Google
It mapped the machine, then swept it for secrets: API keys for AI services (OpenAI, Anthropic, DeepSeek, Gemini), cloud credentials (Chinese providers like Alibaba and Tencent alongside AWS, Google, and Azure), crypto wallet keys, and database logins.
organisation
AES-256
(The note claims AES-256; Sysdig notes the tool it used defaults to weaker AES-128, though the result is the same.)
Tactical Metrics
Metrics
financial
3
Ransomware
Click for context!
In August 2025, researchers at ESET flagged
PromptLock
, billed as the first AI-powered ransomware; it later turned out to be a lab
prototype from NYU
called Ransomware 3.0, not a real attack.
Metrics
victims
17
Organizations
Around the same time, Anthropic reported a real
extortion campaign
that used its Claude Code tool to hit
at least 17 organizations
, with demands topping $500,000, though a human still steered that one.
Metrics
financial
500,000
Demands
Around the same time, Anthropic reported a real
extortion campaign
that used its Claude Code tool to hit
at least 17 organizations
, with demands topping $500,000, though a human still steered that one.
Metrics
infrastructure
1.3.0
Software Version
The flaw was fixed in Langflow 1.3.0 and added to CISA's Known Exploited Vulnerabilities list in May 2025, but plenty of servers were never updated.
Intelligence Sources
HackRead
2026-07-02
The Hacker News
2026-07-02
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-07-03T06:01
Comprehensive Tactical Telemetry
Highly Correlated Entities
25x
organisation
Identified Entity
CVE-2025
entity
5x
timeline
Temporal Reference
August 2025
date
4x
tactic
Cyber Operation Type
Ransomware
tactic
3x
tactic
MITRE ATT&CK Technique
T1059.006 - Python
technique
2x
vulnerability
Exploited CVE
CVE-2021-29441
cve
Contextual Telemetry
Context Block
13 METRICS
vulnerability
CVSS Score
3
score
general metric
Critical
10
critical
general metric
Nacos Configuration Items
1,342
nacos configuration items
general metric
Second
31
second
general metric
Percent
72
percent
financial
Ransomware
3
ransomware
victims
Organizations
17
organizations
financial
Demands
500,000
demands
infrastructure
Software Version
1.3.0
version
target region
Target Country
China
country
source region
Origin Country
China
country
general metric
Minutes
30
minutes
general metric
Separate Purposeful Payloads
600
separate purposeful payloads
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.