JADEPUFFER: Ransomware Just Went Fully Autonomous

Red | Attack
Download Now
JADEPUFFER: Agentic Ransomware Exploits Langflow CVE-2025-3248 and Nacos CVE-2021-29441 (TA2026187)

Threat Advisory • Attack Report • TA2026187

JADEPUFFER: Ransomware Just Went Fully Autonomous

JADEPUFFER is an agentic ransomware operation run end-to-end by a large language model rather than a human operator. Entering through an unpatched Langflow instance via CVE-2025-3248, the LLM autonomously harvested credentials, pivoted to a production MySQL and Alibaba Nacos server, took over Nacos through CVE-2021-29441 and a default JWT signing key, encrypted 1,342 configurations with an ephemeral key, and destroyed entire database schemas — narrating its own reasoning and correcting its failures in under a minute.

SEVERITY: RED ADMIRALTY: A1 AGENTIC RANSOMWARE DATABASE EXTORTION UNRECOVERABLE ENCRYPTION ATTACK REGIONS: GLOBAL MALWARE: JADEPUFFER
Malware
JADEPUFFER
Published
July 06, 2026
Admiralty Code
A1
First Seen
July 2026
Attack Regions
Global
Targeted Platforms
Linux, Containerized Environments
Targeted Products
Langflow, Alibaba Nacos, MySQL, MinIO
CVEs Exploited
CVE-2025-3248, CVE-2021-29441
Payloads Fired
600+ distinct payloads

Summary

JADEPUFFER is an agentic ransomware operation — an entire extortion campaign run end-to-end by a large language model rather than a human operator or a fixed script. First seen in July 2026 and observed globally, the operation targets Linux and containerized environments, with confirmed impact against Langflow, Alibaba Nacos, MySQL, and MinIO deployments.

The LLM-driven agent entered through an unpatched Langflow instance via CVE-2025-3248, then autonomously harvested credentials, enumerated MinIO storage, and pivoted to a separate production server running MySQL and Alibaba Nacos. It took over Nacos through CVE-2021-29441 combined with a default JWT signing key, encrypted 1,342 Nacos configuration items with an ephemeral key that was never saved, and then destroyed entire database schemas. Throughout the intrusion, JADEPUFFER narrated its own reasoning in natural language, diagnosed and corrected its own failures within seconds, and issued over 600 distinct payloads. Because the encryption key is never retained, recovery is impossible even if the ransom is paid — making JADEPUFFER effectively a wiper posing as ransomware, driven entirely by a machine.


Attack Details

#1 — An Extortion Operation Run End-to-End by an LLM

JADEPUFFER is an agentic ransomware operation executed end-to-end by a large language model rather than a human operator or fixed script. The agent gained initial access to an internet-facing Langflow instance via CVE-2025-3248, then autonomously performed reconnaissance, credential harvesting, MinIO enumeration, lateral movement to a production MySQL and Alibaba Nacos server, Nacos takeover via CVE-2021-29441 and default JWT signing key forgery, encryption of 1,342 Nacos configuration items with an ephemeral key, and mass destruction of database schemas. Throughout the operation, the LLM narrated its reasoning, diagnosed and corrected its own failures within seconds, and issued over 600 distinct payloads.

#2 — Host Enumeration and Parallel Credential Sweeps

After code execution on the Langflow host, the JADEPUFFER agent enumerated the host — user context, kernel, hostname, network interfaces, and running processes — and swept the environment in parallel for LLM provider API keys covering OpenAI, Anthropic, DeepSeek, and Gemini; cloud credentials for Chinese providers such as Alibaba, Aliyun, Tencent, and Huawei alongside AWS, GCP, and Azure; cryptocurrency wallets and seed phrases; and database credentials stored in configuration files.

#3 — Credential Dumping, Staging, and Self-Cleanup

The agent dumped Langflow's PostgreSQL backend to harvest stored credentials, API keys, and user records, staged the output locally, reviewed it, then deleted the staging files to reduce forensic footprint. Persistence was established via a crontab entry beaconing to attacker infrastructure every 30 minutes. The payloads throughout carried natural-language commentary explaining each action — a signature of LLM-generated code that human operators rarely embed in disposable one-liners.

#4 — Pivot to Nacos, JWT Forgery, and Destructive Impact

The agent then scanned the reachable internal address space, probing databases, object stores, secret stores, and service discovery endpoints using default credentials. The harvested credentials enabled a pivot to its true objective: a separate internet-facing production server running MySQL and Alibaba Nacos. JADEPUFFER attacked Nacos through multiple simultaneous vectors — exploiting CVE-2021-29441, forging a valid JWT with the well-known default signing key that has shipped unchanged since 2020, and injecting a backdoor administrator account directly into the Nacos backing database via root MySQL access. The self-narrated exfiltration claim, destructive intent, and unrecoverable encryption together characterize JADEPUFFER as a wiper-with-extortion posture rather than conventional negotiable ransomware.

CVEs Exploited by JADEPUFFER
CVE IDVulnerability NameAffected ProductPatch Availability
CVE-2025-3248 Langflow Missing Authentication Vulnerability Langflow Available (1.3.0)
CVE-2021-29441 Nacos AuthFilter Authentication Bypass by Spoofing Vulnerability Alibaba Nacos Available

Recommendations

01

Patch Langflow to 1.3.0 or Later

Upgrade all Langflow deployments to release 1.3.0 or newer to close CVE-2025-3248, and remove internet exposure from any code-execution or validation endpoints that remain reachable from untrusted networks.

02

Harden Alibaba Nacos Configuration Servers

Upgrade Nacos to a version that forces a custom token signing key, replace the well-known default token.secret.key value on every existing deployment, restrict Nacos to internal networks only, and never allow Nacos to connect to its backing database with the root account.

03

Remove Provider Secrets from AI Orchestration Runtimes

Do not deploy AI orchestration servers, agent frameworks, or LLM workflow tools with LLM provider API keys, cloud credentials, or database secrets present in environment variables or .env files. Scope all secrets to a dedicated secret manager with least privilege and short-lived, rotatable tokens.


Indicators of Compromise (IOCs)

TypeValue
IPv4 45[.]131[.]66[.]106
64[.]20[.]53[.]230
IPv4:Port 45[.]131[.]66[.]106[:]4444
URL hxxp[:]//45[.]131[.]66[.]106[:]4444/beacon
Email e78393397[@]proton[.]me
Bitcoin Address 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy
Filename README_RANSOM
File Path /tmp/creds.json
/var/lib/mysql-files/_pwn_test.txt
/var/lib/mysql-files/_pwn_cleanup.txt

Potential MITRE ATT&CK TTPs

T1190
Initial Access
Exploit Public-Facing Application
T1059
Execution
Command and Scripting Interpreter (Sub-technique: T1059.006 — Python)
T1203
Execution
Exploitation for Client Execution
T1053
Persistence
Scheduled Task/Job (Sub-technique: T1053.003 — Cron)
T1136
Persistence
Create Account (Sub-technique: T1136.001 — Local Account)
T1078
Privilege Escalation
Valid Accounts (Sub-technique: T1078.001 — Default Accounts)
T1611
Privilege Escalation
Escape to Host
T1140
Defense Evasion
Deobfuscate/Decode Files or Information
T1070
Defense Evasion
Indicator Removal (Sub-technique: T1070.004 — File Deletion)
T1552
Credential Access
Unsecured Credentials (Sub-technique: T1552.001 — Credentials In Files)
T1555
Credential Access
Credentials from Password Stores
T1212
Credential Access
Exploitation for Credential Access
T1606
Credential Access
Forge Web Credentials (Sub-technique: T1606.001 — Web Cookies)
T1082
Discovery
System Information Discovery
T1083
Discovery
File and Directory Discovery
T1057
Discovery
Process Discovery
T1046
Discovery
Network Service Discovery
T1526
Discovery
Cloud Service Discovery
T1613
Discovery
Container and Resource Discovery
T1210
Lateral Movement
Exploitation of Remote Services
T1021
Lateral Movement
Remote Services
T1005
Collection
Data from Local System
T1213
Collection
Data from Information Repositories
T1071
Command and Control
Application Layer Protocol (Sub-technique: T1071.001 — Web Protocols)
T1041
Exfiltration
Exfiltration Over C2 Channel
T1486
Impact
Data Encrypted for Impact
T1485
Impact
Data Destruction
T1490
Impact
Inhibit System Recovery
T1657
Impact
Financial Theft

References & Patch Links

Patch Links
References