2026 JADEPUFFER:
First Agentic LLM Ransomware — Langflow Defense Guide
If you run Langflow, Nacos, or any public-facing AI Agent orchestration stack, Sysdig's July 1, 2026 report from Michael Clark and the Threat Research Team documents the first end-to-end LLM-driven ransomware chain—codenamed JADEPUFFER and classified as an Agentic Threat Actor (ATA). Entry was CVE-2025-3248 on a Langflow host; the real target was a production MySQL + Nacos server with 600+ purposeful payloads, a 31-second self-healing backdoor fix, and encryption of 1,342 configs. This guide delivers the full timeline, Flodrix vs JADEPUFFER distinction, IOC table, Sysdig's seven defenses and four conclusions, industry reaction including Vibhum Dubey's "quiet period" warning, seven FAQs, and an isolated Mac deployment playbook—with comparison tables and hard numbers throughout.
Table of Contents
Facts as of July 7, 2026. Primary source: Sysdig TRT report by Michael Clark (July 1, 2026). This article is technical analysis, not legal or incident-response advice. Defang notation uses brackets in prose; restore for live hunting.
01 · Executive Summary
Short answer: On July 1, 2026, Sysdig's Threat Research Team published the first full technical account of JADEPUFFER—an Agentic Threat Actor (ATA) that used an LLM Agent to run a complete ransomware operation from Langflow initial access through MySQL/Nacos destruction. Michael Clark, Director of Threat Research, documented 600+ independent, purposeful payloads executed across sessions weeks apart in June 2026. Media including BleepingComputer, Dark Reading, CyberScoop, and CSO Online followed July 2–6.
| Metric | Reported Data |
|---|---|
| Discovery | Sysdig TRT — Michael Clark, report published July 1, 2026 |
| Classification | Agentic Threat Actor (ATA) — attack capability delivered by AI Agent, not human-driven toolchains |
| Entry vector | CVE-2025-3248 — Langflow <1.3.0, CVSS 9.8, /api/v1/validate/code |
| Downstream target | Public MySQL + Nacos production server (separate from Langflow host) |
| Payload count | 600+ independent purposeful payloads in compressed windows |
| Configs encrypted | 1,342 Nacos config_info records via MySQL AES_ENCRYPT() |
| Self-healing backdoor | 31 seconds from failed xadmin login to working admin account |
| C2 beacon | 45.131.66[.]106:4444 — crontab every 30 minutes |
| Recovery outlook | Encryption key uuid4()-generated, printed once, never stored — payment likely useless |
02 · Three Pain Points for AI Infrastructure Teams
- Langflow is a credential honey pot. Teams prototype Agent workflows quickly and park OpenAI, Anthropic, DeepSeek, Gemini, and cloud keys in environment variables. Sysdig notes these hosts are attractive because API keys and cloud credentials sit beside an RCE surface—exactly what JADEPUFFER parallel-scanned in Phase 1.
- Legacy infra meets Agent speed. The downstream target relied on CVE-2021-29441, default Nacos JWT secrets documented since 2020, and a MySQL
rootaccount reachable from the internet. An ATA can weaponize years of neglect in hours; signature-based playbooks assume predictable human pacing. - The quiet period is invisible. CSO Online quoted researcher Vibhum Dubey: the danger is not the final
DROP DATABASEbut the adaptive reconnaissance before encryption. When an Agent remaps tactics after each block, every incident looks slightly different—defenders lose the "predictable kill chain" assumption.
03 · Timeline
| Date | Event |
|---|---|
| April 2025 | CVE-2025-3248 disclosed — Langflow unauthenticated code injection / RCE |
| May 5, 2025 | CISA adds CVE-2025-3248 to Known Exploited Vulnerabilities (KEV) catalog |
| 2025 (ongoing) | Trend Micro tracks Flodrix botnet delivery via same Langflow flaw — separate campaign from JADEPUFFER |
| June 2026 | JADEPUFFER attack executes across multiple sessions weeks apart (exact day undisclosed) |
| July 1, 2026 | Sysdig publishes full technical report — first public disclosure |
| July 2–6, 2026 | BleepingComputer, Dark Reading, CyberScoop, CSO Online, Security Affairs amplify findings |
04 · JADEPUFFER & Agentic Threat Actor (ATA)
Sysdig assigned the codename JADEPUFFER (official all-caps convention) to describe what they assess as the first known end-to-end, fully LLM-driven ransomware operation: reconnaissance, credential theft, lateral movement, persistence, destructive encryption, and ransom note delivery without a human operator at critical decision nodes.
The report introduces Agentic Threat Actor (ATA) as a new taxonomy—threat capability delivered by an AI Agent rather than a human driving a fixed toolkit. The two-stage architecture is deliberate: a public Langflow instance was the beachhead; the production MySQL + Nacos server was the extortion target. That split mirrors how developers isolate prototypes from production—except here the prototype was the unlocked front door.
05 · CVE-2025-3248 Deep Dive
Langflow is an open-source visual AI workflow builder with 70,000+ GitHub stars. Versions before 1.3.0 expose /api/v1/validate/code, intended to syntax-check user-defined function nodes. The implementation chains ast.parse() → compile() → exec() with no authentication and no sandbox.
Python evaluates decorators and default arguments at function definition time. Attackers embed malicious code in defaults; when Langflow "validates" the function, the payload already executed. CVSS is 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). SentinelOne's EPSS exploitation probability reached 91.42%.
Langflow 1.3.0 patches by injecting _current_user: CurrentActiveUser into post_validate_code. FastAPI validates JWT Bearer tokens or x-api-key headers before the vulnerable logic runs; inactive users are rejected.
06 · Flodrix vs JADEPUFFER — Same CVE, Different Campaigns
Trend Micro documented Flodrix—a LeetHozer-family botnet—delivered through the identical Langflow flaw. Those payloads are script-style recon, not Agentic ransomware:
Flodrix ends with a 700-byte Bash downloader fetching an ELF binary for DDoS participation. JADEPUFFER progressed to PostgreSQL dumps, MinIO credential theft, Nacos takeover, and database destruction. Both prove CVE-2025-3248 has been actively scanned since KEV listing—only JADEPUFFER demonstrates ATA-grade autonomy.
07 · Phase 1: Langflow Host Compromise
All Phase 1 payloads arrived as Base64-encoded Python through the RCE endpoint. Sysdig captured the following progression.
Parallel reconnaissance and API key harvesting
After id, uname -a, and hostname, the Agent in parallel scanned for LLM vendor keys (OpenAI, Anthropic, DeepSeek, Gemini), Chinese cloud prefixes (ALIBABA_, ALIYUN_, TENCENT_, HUAWEI_), AWS/GCP/Azure credentials, crypto wallet seeds, and database configuration files.
PostgreSQL dump and lateral discovery
Langflow's own PostgreSQL backend was exported—credentials, API keys, and user records—staged locally, reviewed, then deleted to reduce forensic artifacts. Internal address space and named services were probed with default credentials on databases, object storage, vaults, and service-discovery endpoints.
MinIO adaptive enumeration
The Agent hit minio.internal:9000 and 127.0.0.1:9000 with default minioadmin:minioadmin, listed buckets including terraform-state, and extracted credentials.json. When a ?format=json request returned XML, the next payload immediately switched to XML parsing—probe-error-adapt, not blind retry.
Persistence via crontab
08 · Phase 2: MySQL + Nacos Production Ransom
The production server ran MySQL and Alibaba Nacos on the public internet. The Agent connected with root credentials whose origin Sysdig could not trace to victim theft—one of the few likely human-prepared inputs.
Nacos takeover: 31-second self-repair
Simultaneous attempts included CVE-2021-29441 auth bypass, forging tokens with Nacos's publicly documented default JWT secret, and injecting a backdoor xadmin admin via direct database writes. UTC timestamps from Sysdig:
| UTC Time | Action |
|---|---|
| 19:34:24 | Insert xadmin with bcrypt hash via subprocess.run |
| 19:34:36 | Login attempt xadmin:Xploit@2026# — failed |
| 19:34:48 | Parallel test of nacos:nacos defaults and regenerate simpler admin123 hash |
| 19:35:07 | Switch to direct import bcrypt, delete broken rows, reinsert correct hash |
| 19:35:18 | Login successful — 31 seconds total from first failure |
Container escape probes (~8 minutes)
Using MySQL INTO OUTFILE and LOAD_FILE, the Agent tested write/read to /var/lib/mysql-files/, attempted reads of /var/run/docker.sock, /proc/1/cgroup, /etc/hostname, and checked mysql.func for UDF escalation paths. Before ransomware, it wrote a cleanup marker—behavior Sysdig likens to structured Agent phase completion, not a static exploit kit.
Encryption and README_RANSOM
The ransom note claims AES-256, but MySQL AES_ENCRYPT() defaults to AES-128-ECB without extra configuration. Two minutes later a follow-up payload refined the count to "all 1,342 items encrypted."
Schema destruction and FOREIGN_KEY_CHECKS fix
Multiple databases were dropped with ROI-prioritized comments—including a claim data was "backed up to 64.20.53[.]230" (InterServer AS19318). Sysdig found no independent evidence of exfiltration to that IP; it appears only in Agent self-narration. When DROP DATABASE failed on foreign keys, the next payload added:
09 · Four Autonomy Evidence Lines
- Self-narrating comments. Decoded payloads contain natural-language explanations of ROI ordering, which database is largest, and why each step matters—native to the attacker's code, not analyst annotation.
- Machine-speed error correction. The 31-second Nacos backdoor repair, MinIO XML/json pivot, JWT "custom secret" abandonment, and
FOREIGN_KEY_CHECKSfix each map to specific failure causes—not dumb retries. - Natural-language context understanding. The Agent parsed free-text environment context across sessions weeks apart and acted in ways that require comprehension, not regex scanning.
- Bitcoin address mystery. The chosen address is a Bitcoin Core documentation example heavily represented in LLM training corpora—ambiguous evidence of hallucination vs deliberate wallet choice (see next section).
10 · Bitcoin Address Mystery
Ransom table README_RANSOM lists 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy—the standard P2SH example address repeated across Bitcoin Core docs and sample code, therefore common in model training data. On-chain: 737 confirmed transactions, roughly 46 BTC received historically, current balance zero (funds swept immediately).
Sysdig cannot distinguish: (a) the LLM hallucinated a well-known example address whose deposits are harvested by a third party, or (b) the operator deliberately configured a real wallet that coincidentally matches documentation. Without access to JADEPUFFER's system prompt, both remain plausible—illustrating how ATA attribution adds new uncertainty.
11 · IOC Table
| Type | Indicator |
|---|---|
| C2 / Beacon | 45.131.66[.]106 — crontab beacon http://45.131.66[.]106:4444/beacon every 30 min |
| Exfil / staging (unverified) | 64.20.53[.]230 — cited only in Agent code comments |
| Entry CVE | CVE-2025-3248 (Langflow <1.3.0) |
| Bitcoin | 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy |
| Contact email | e78393397[@]proton[.]me — no prior threat-intel hits |
| Ransom table | README_RANSOM — unlike common names WARNING or RECOVER_YOUR_DATA |
| Persistence | Crontab Python beacon to port 4444 |
12 · Comparison Matrix
| Dimension | Traditional Ransomware | Flodrix via Langflow | JADEPUFFER (ATA) |
|---|---|---|---|
| Operator model | Human + RaaS toolkit | Automated script / botnet crew | LLM Agent chaining decisions |
| Entry | Phishing, RDP, VPN flaws | CVE-2025-3248 | CVE-2025-3248 → lateral to MySQL/Nacos |
| Payload style | Packaged encryptor binary | Fixed recon commands (whoami, printenv) | 600+ adaptive Python payloads with comments |
| Error handling | Pre-tested playbooks | Minimal | 31s multi-step self-repair; XML/json pivot |
| Economic model | Affiliate fees | DDoS rental | LLMjacking — stolen API keys drive near-zero marginal cost |
| Recovery | Sometimes possible with keys | N/A (botnet) | Key never stored — likely unrecoverable |
13 · Sysdig Defense Recommendations (All 7)
- Upgrade Langflow past 1.3.0 and never expose code-validation endpoints to the public internet.
- Deploy runtime threat detection on database processes to catch malicious SQL patterns (bulk
AES_ENCRYPT, ransom table creation). - Remove API keys from Agent runtime environments—use dedicated secrets managers isolated from internet-reachable orchestration hosts.
- Harden Nacos: rotate
token.secret.keyaway from documented defaults, patch auth-bypass families, never expose Nacos publicly, and avoidrootdatabase connections. - Never expose database admin accounts on the internet; enforce strong unique credentials and source-IP allowlists on management ports.
- Implement egress controls so compromised app hosts cannot beacon to arbitrary C2 or reach external staging servers.
- Hunt the IOCs above—monitor crontab jobs calling external URLs and anomalous parenthesized User-Agent strings.
14 · Industry Reaction
BleepingComputer, Dark Reading, CyberScoop, and Security Affairs framed JADEPUFFER as the first fully AI-driven ransomware, marking the ATA era. CSO Online interviewed independent researcher Vibhum Dubey, who argued this is evolutionary execution, not a brand-new extortion technique: attackers have automated recon and deployment for years—the difference is an Agent chaining phases without waiting for human approval.
Dubey's critical insight: worry about the "quiet period" before encryption, when the Agent maps identity, permissions, and trust relationships while evading detection. Combined with LLMjacking—using stolen cloud and model credentials to power the Agent—the marginal cost of multi-stage attacks approaches zero. That economics signal matters as much as the encryption finale.
15 · Sysdig Four Conclusions & Report Significance
- Skill bar collapsed. An LLM Agent can chain recon, theft, lateral movement, persistence, and destruction without deep operator expertise—"a capable model" replaces "a capable human."
- Old bugs, automated spray. Downstream exploitation leaned on 2021 Nacos flaws and unchanged default secrets. ATAs make spraying the entire historical CVE corpus nearly free.
- Intent became readable. Self-narrating payload comments give defenders a new detection handle unprecedented in traditional malware.
- "Backed up" was unverified narrative. The 64.20.53[.]230 claim exists only in Agent comments; encryption keys were ephemeral—payment cannot restore data.
Sysdig's closing warning: every individual technique in JADEPUFFER is familiar; the novelty is an AI model assembling them into a complete ransomware operation against neglected public infrastructure. With agent tooling maturing and LLMjacking lowering costs, expect more attacks targeting public app servers, unhardened config centers, and internet-exposed database admins first.
16 · Defense Steps (7)
- Inventory every Langflow, Flowise, and Agent orchestration endpoint. Map versions; anything <1.3.0 is emergency patch territory.
- Segment AI prototypes from production data planes. Langflow hosts must not route to production MySQL/Nacos without jump hosts and MFA.
- Rotate and vault all LLM and cloud keys. Assume any key ever present in a Langflow env var on a public host is burned.
- Apply Nacos hardening checklist: custom JWT secret, latest patched release, private network only, least-privilege DB user—not root.
- Enable database audit logs for
AES_ENCRYPTmass operations,README_RANSOM-style tables, andSET GLOBAL FOREIGN_KEY_CHECKS. - Block egress from orchestration subnets except approved package mirrors and model APIs.
- Deploy IOC hunts for
45.131.66[.]106beacons and crontab entries calling external Python one-liners.
17 · FAQ (8 Questions)
What is JADEPUFFER?
Sysdig's codename for the first documented end-to-end LLM-driven ransomware, published July 1, 2026 by Michael Clark and the Threat Research Team.
What is an Agentic Threat Actor (ATA)?
Sysdig's new classification for threats where an AI Agent delivers attack capability instead of a human driving fixed tools.
Is JADEPUFFER the same as Flodrix?
No. Both exploit CVE-2025-3248, but Flodrix is a Trend Micro-tracked botnet with static recon payloads; JADEPUFFER is Sysdig's ATA ransomware chain.
Can victims decrypt by paying?
Unlikely. The AES key was uuid4-generated, printed once, and never stored or transmitted.
Why is the Bitcoin address odd?
It matches Bitcoin Core's canonical P2SH example—common in LLM training data—with 737 txs and ~46 BTC historically received.
Which CVEs matter?
CVE-2025-3248 (Langflow entry), CVE-2021-29441 and default Nacos JWT secrets (downstream).
What did experts say about detection?
Vibhum Dubey told CSO Online the pre-encryption quiet period and adaptive tactics break predictable-path detection; LLMjacking drives near-zero attack cost.
How do I test Langflow safely?
Use an isolated rented Mac, patch to 1.3.0+, bind localhost-only, and never load production secrets on internet-facing prototypes.
18 · Five-Step Mac Isolation Playbook
- Catalog Agent stacks. List every Langflow, OpenClaw, Ollama, and custom Agent deployment; note public IPs and stored credentials.
- Provision a clean Apple Silicon Mac. Rent a bare-metal node with fresh Keychain and SSH—see our daily Mac rental FAQ for onboarding.
- Install Langflow ≥1.3.0 in isolation. Verify JWT/
x-api-keyon/api/v1/validate/codebefore any port forward. - Run red-team validation. Test egress blocks, secret injection from a vault sidecar, and Nacos/MySQL network policies without touching production VPCs.
- Document promote-or-burn decision. Only move workflows to shared infra after patch proof, secret rotation, and egress rules pass—reference Mac mini M4 pricing for extended isolation windows.
19 · Rent a Mac for Isolated Langflow / Agent Deployment
JADEPUFFER proves that a hastily exposed Langflow instance is not a "dev sandbox"—it is a staging ground for ATA lateral movement into production MySQL and Nacos. Running the same stack on your daily driver Mac or an internet-facing Linux VPS without segmentation means API keys, PostgreSQL dumps, and crontab beacons share fate with your primary credentials.
A rented Mac mini M4 gives you bare-metal macOS fidelity for Langflow, OpenClaw, and Xcode-adjacent Agent tooling, with daily billing so you can validate patches and network policy then tear down. Windows VMs lack Apple Silicon-native testing paths; shared cloud GPUs often ship with flat network planes that make egress control harder than a dedicated Mac VLAN.
Although you can prototype Langflow on any Linux host for a quick demo, that path hides the macOS-specific Agent integrations many teams eventually need—and it tempts you to leave orchestration on the same subnet as production databases. For stable builds, cleaner secret isolation, and a burn-after-reading mindset before promoting workflows, renting a Mac is the lower-risk long-term choice. Pricing and SSH setup are in our M-series compute pricing guide and bare-metal rates.
20 · Sources & References
- Sysdig TRT — JADEPUFFER: Agentic ransomware for automated database extortion (Michael Clark, July 1, 2026)
- BleepingComputer — JadePuffer ransomware used AI agent to automate entire attack
- Dark Reading — JadePuffer: The First Complete LLM-Driven Ransomware Attack
- CyberScoop — Sysdig clocks first documented case of agentic ransomware
- CSO Online — Vibhum Dubey interview on adaptive Agent tactics and the quiet period
- Security Affairs — JADEPUFFER: First End-to-End AI-Driven Ransomware Operation
- Trend Micro — CVE-2025-3248 Flodrix botnet analysis (independent campaign)
- NVD / SentinelOne / Zscaler ThreatLabz — CVE-2025-3248 technical details; EPSS 91.42%
- CISA KEV — CVE-2025-3248 listed May 5, 2025
Last updated: July 7, 2026. We will amend this article if Langflow publishes an official incident statement or Sysdig releases follow-on IOC updates.