Skip to content
Malware

Agentic Ransomware JADEPUFFER Uses Base64 Python Payloads to Harvest Cloud and API Keys

Ransomware has always needed a human at the keyboard or writing the script behind it. That assumption no longer holds. Researchers have documented what appears to be the first fully autonomous ransomware operation, driven entirely by an AI agent rather than a person. The threat has been named JADEPU...

· Jul 02, 2026 · 5 min read · 👁 0 views
Agentic Ransomware JADEPUFFER Uses Base64 Python Payloads to Harvest Cloud and API Keys

Ransomware has always needed a human at the keyboard or writing the script behind it. That assumption no longer holds.

Researchers have documented what appears to be the first fully autonomous ransomware operation, driven entirely by an AI agent rather than a person.

The threat has been named JADEPUFFER, representing a new category of attacker known as an agentic threat actor.

Instead of a fixed toolkit written by a human, the attack capability comes from a large language model that plans, adapts, and executes each step on its own.

Sysdig said in a report shared with Cyber Security News (CSN) that they identified the campaign after capturing the payloads used during the intrusion, and their findings describe an operation that moved from initial access to full database destruction with almost no human guidance.

The attack began on an internet facing Langflow instance, an open source framework used to build AI agent workflows.

Access was gained through a flaw tracked as CVE-2025-3248, a missing authentication issue in Langflow’s code validation endpoint.

This bug lets an attacker run arbitrary Python code without ever logging in, making it an ideal doorway for an AI driven campaign. Once inside, JADEPUFFER wasted no time expanding its reach.

Agentic Ransomware JADEPUFFER Uses Base64 Python Payloads

Every payload JADEPUFFER used was delivered as Base64 encoded Python through the Langflow flaw. Once executed, the agent mapped the host, checking user identity, network interfaces, and running processes before hunting for stored secrets.

Its search covered many credential types, including API keys for OpenAI, Anthropic, DeepSeek, and Gemini, plus cloud credentials from AWS, Azure, and several Chinese providers. It also searched for cryptocurrency wallets, seed phrases, and database configuration files.

The agent turned to Langflow’s own backing database, pulling out stored credentials and user records before deleting the files it had staged locally. It then scanned the internal network for reachable services, finding a MinIO storage instance still using its default username and password.

Through that default login, JADEPUFFER listed every storage bucket, prioritized ones holding configuration data, and pulled out a credentials file by name. It then planted a scheduled task on the server that contacted attacker infrastructure every thirty minutes, keeping a foothold open.

From Access to Extortion

The true target was a separate database server running MySQL alongside a configuration tool called Nacos. The agent broke in using a years old authentication bypass and a default signing key public since 2020, then planted a hidden administrator account in its database.

That account creation failed on the first try, but the agent noticed the failure and rewrote its script within about thirty seconds to fix a password hashing issue. This rapid correction is one of the clearest signs no human was steering the operation in real time.

After gaining full database access, the agent checked whether it could escape the container environment before moving into the destructive phase.

It encrypted more than a thousand configuration records, dropped the original tables, and inserted a ransom note demanding Bitcoin payment with a ProtonMail contact.

The encryption key was generated randomly and never saved anywhere, meaning the victim cannot recover the data even by paying. The agent then escalated further, dropping entire database schemas it judged valuable, narrating its own reasoning inside the code as it worked.

Sysdig’s researchers recommend patching Langflow immediately and keeping code execution endpoints off the public internet. Organizations should avoid running AI orchestration servers alongside sensitive API keys or cloud credentials, keeping secrets in a dedicated manager instead.

Nacos deployments should replace the default signing key, avoid public exposure, and never connect to a database using root privileges. Admin access should never face the internet, and egress filtering should stop compromised hosts from reaching outside infrastructure freely.

The defenders should expect this extortion campaign to grow more common as agentic tools mature. The barrier to running ransomware has dropped to the cost of an AI agent.

Indicators of Compromise (IoCs):-

TypeIndicatorDescription
IP Address45.131.66[.]106Initial access and post-exploitation C2; cron beacon target on port 4444 
IP Address64.20.53[.]230 (InterServer, AS19318)Suspected exfiltration or staging server referenced in agent commentary 
URLhxxp://45.131.66[.]106:4444/beaconBeacon URL contacted every 30 minutes via a planted crontab entry 
CVECVE-2025-3248Unauthenticated remote code execution flaw in Langflow’s code validation endpoint used for initial access 
CVECVE-2021-29441Nacos authentication bypass exploited to compromise the configuration server 
Credentialsminioadmin:minioadminDefault MinIO credentials used to enumerate and extract stored data 
Filecredentials.jsonSensitive file harvested from an internal MinIO bucket 
File/tmp/creds.jsonLocal staging path used to store exfiltrated credential data 
Database TableREADME_RANSOMRansom note table created inside the victim’s Nacos database 
Cryptocurrency Address3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLyBitcoin address listed in the ransom demand 
Contacte78393397[@]proton[.]meProtonMail address listed as the ransom contact 

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Source: CybersecurityNews.com

Follow ShomoySoft for more: Follow on Facebook

💬 Comments (0)

Login to join the discussion.

No comments yet. Be the first!

Recommended for you