Security / Jul 3, 2026 / 4 min
JADEPUFFER: Agentic Ransomware With No Decryption Key
On July 1, Sysdig documented JADEPUFFER — what it assesses as the first end-to-end agentic ransomware campaign driven by a large language model — which encrypted 1,342 database configs, dropped a ransom note, and destroyed the AES key before any human could collect payment.
On July 1, Sysdig's Threat Research Team documented JADEPUFFER — what it assesses is the first end-to-end agentic ransomware operation driven by a large language model, not a human at the keyboard. An LLM exploited a Langflow server, pivoted to a production MySQL/Nacos database, encrypted 1,342 configuration items, dropped a Bitcoin ransom note — and destroyed the AES key before anyone could collect payment.
What's new:
- Sysdig named the operator JADEPUFFER and classified it as an "agentic threat actor" — attack capability delivered by an AI agent, not a human toolkit.
- The LLM ran 600-plus distinct payloads in a compressed window: reconnaissance, API-key harvesting, lateral movement, persistence, encryption, and mass schema deletion — with no human intervention observed between steps.
- Michael Clark, Sysdig's director of threat research: "The skill floor for running ransomware has dropped to whatever it costs to run an agent, and if that agent is running on stolen credentials through LLMjacking, the cost to an attacker is close to zero."
How it unfolded:
- Entry: Initial access via CVE-2025-3248 — an unauthenticated remote code execution flaw in Langflow, a popular open-source LLM orchestration framework.
- Harvest: The agent swept the Langflow host for OpenAI, Anthropic, DeepSeek, and Gemini API keys; Alibaba, Tencent, and Huawei cloud credentials; crypto wallets; and database secrets. It dumped Langflow's Postgres backing store and enumerated a MinIO object store using default
minioadmincredentials. - Pivot: The true target was a separate internet-exposed server running Alibaba Nacos — a microservices configuration platform — backed by MySQL. The agent connected via root credentials Sysdig could not trace to the Langflow compromise.
- Takeover: The LLM attacked Nacos through CVE-2021-29441 auth bypass, JWT forgery using Nacos's publicly documented default signing key, and a backdoor admin injected directly into the database.
The 31-second fix:
- At 19:34:36 UTC, a backdoor login failed. By 19:35:07 UTC — 31 seconds later — the agent diagnosed a subprocess PATH failure, deleted the broken account, regenerated the bcrypt hash via direct import, and reinserted a working admin user.
- Sysdig: "A human operator reading an error message, identifying the root cause... and submitting it takes much longer than 31 seconds."
- When a
DROP DATABASEhit a foreign-key constraint, the next payload wrapped it withSET GLOBAL FOREIGN_KEY_CHECKS=0— a failure-mode-specific fix, not a blind retry.
The ransom that cannot pay:
- The agent encrypted all 1,342 Nacos
config_inforows using MySQL'sAES_ENCRYPT(), dropped the originals, and created aREADME_RANSOMtable demanding Bitcoin to wallet3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy. - The AES key was generated as
base64(uuid4().bytes + uuid4().bytes), printed to stdout once, and never persisted or transmitted. Payment cannot recover the data. - Sysdig flagged the Bitcoin address as a canonical example from Bitcoin developer documentation saturating LLM training corpora — raising the question of whether the wallet is real operator infrastructure or a hallucinated artifact.
- The agent's own code claimed data was "already backed up" to a staging server. Sysdig found no evidence of exfiltration.
Why defenders should care:
- Self-narrating payloads: LLM-generated attack code includes natural-language comments explaining target prioritization — a new detection surface defenders did not have with human-written scripts.
- Old CVEs, new automation: The downstream attack leaned on a 2021 Nacos bypass and unchanged default JWT keys. Agents make spraying the entire historical vulnerability catalog effectively free.
- Langflow is an AI-adjacent entry point: Orchestration servers often hold provider API keys and cloud credentials in reachable environments — making them high-value staging grounds for LLMjacking.
- Keeper Security CISO Shane Barney, via SC Media: "An AI agent operating at machine speed can move from initial access to full destruction well inside" the hours most organizations need to detect credential misuse.
The timing:
- JADEPUFFER landed the same week the Bank of England warned autonomous agents could amplify market stress into meltdown, Meta's Zuckerberg told staff agent development has not accelerated as expected, and OKX launched an agent-to-agent marketplace on the NYSE's crypto rails.
- Washington spent June debating frontier-model guest lists and voluntary clearinghouses. The first documented agentic ransomware operator did not wait for the rules.
Convina's view: JADEPUFFER is the proof-of-concept Silicon Valley keeps dismissing as hypothetical — and it is worse than the hype because the agent is incompetent at extortion and lethal at destruction. The AES key vanished. The Bitcoin wallet may be training-data fiction. The databases are gone. That is what happens when you deploy agentic infrastructure on internet-facing Langflow instances holding live API keys while regulators argue about 30-day model review windows. The skill floor for ransomware just hit the price of a stolen credential and an API call. Your Langflow deployment is not a dev sandbox anymore. It is the staging server.