JADEPUFFER Agentic Ransomware Uses Base64 Python Payloads to Steal Cloud and API Keys


Security researchers have documented a ransomware operation called JADEPUFFER that used an AI agent to move from initial access to credential theft, lateral movement, persistence, and database destruction.

Sysdig said the operation targeted an internet-facing Langflow instance, then pivoted toward a production database environment. The company assessed it as the first documented case of agentic ransomware, where a large language model carried out the attack flow end to end.

The attack used CVE-2025-3248, an unauthenticated Langflow remote code execution flaw, to deliver Base64-encoded Python payloads. Those payloads searched for cloud credentials, AI provider API keys, cryptocurrency wallet material, database files, and internal services.

What Makes JADEPUFFER Different

JADEPUFFER was not just a script that ran a fixed set of commands. The captured payloads contained comments, reasoning, target prioritization, and self-correction behavior that Sysdig linked to LLM-generated attack logic.

The Hacker News reported that the agent fixed one failed step in about 31 seconds after identifying a password hashing problem. That type of fast correction was one reason researchers believed the operation was driven by an autonomous agent rather than a human manually typing commands.

The case matters because none of the individual techniques looked especially new. The important change was that an AI agent chained old flaws, weak credentials, exposed services, and destructive database operations into one working extortion campaign.

How the Attack Started

The entry point was Langflow, an open source framework used to build AI applications and agent workflows. The vulnerable server was reachable from the internet, which gave the attacker direct access to the code execution bug.

The NVD entry for CVE-2025-3248 says Langflow versions before 1.3.0 are vulnerable to code injection in the /api/v1/validate/code endpoint. A remote unauthenticated attacker can send crafted HTTP requests and execute arbitrary code.

JADEPUFFER used that weakness to run Base64-encoded Python. After decoding and execution, the agent began mapping the host, collecting identity data, listing network interfaces, checking processes, and searching for secrets.

JADEPUFFER Attack Chain

StageWhat JADEPUFFER didWhy it matters
Initial accessExploited CVE-2025-3248 in an exposed Langflow instanceAllowed unauthenticated Python execution
Host discoveryChecked users, hostname, network interfaces, and running processesMapped the compromised environment
Credential huntingSearched for cloud keys, AI API keys, wallets, and database configsCollected material useful for expansion and abuse
Internal discoveryScanned reachable internal services, including storage and databasesFound the next target inside the network
DestructionEncrypted Nacos records and dropped database schemasTurned access into extortion and unrecoverable damage

Sysdig said every observed payload arrived as Base64-encoded Python through the Langflow RCE endpoint. That gave the agent a flexible way to run new logic without dropping a traditional malware binary first.

The agent also cleaned up some staged files after reviewing them. That cleanup behavior can reduce forensic evidence if defenders only inspect the file system after the fact.

Credentials and Secrets Targeted

The agent searched broadly for secrets because AI and cloud orchestration servers often store high-value credentials. That included API keys for OpenAI, Anthropic, DeepSeek, Gemini, and other AI services.

It also searched for AWS, Google Cloud, Azure, Alibaba, Tencent, and Huawei credentials. The same sweep covered cryptocurrency wallets, seed phrases, database configuration files, and Langflow’s own backing database.

  • LLM provider API keys
  • Cloud access keys and tokens
  • Database credentials and configuration files
  • Cryptocurrency wallets and seed phrases
  • Stored Langflow credentials and user records
  • Internal storage and service-discovery data

This is why exposed AI workflow servers create serious risk. They can become a shortcut to many other systems when developers store production credentials near orchestration tools.

MinIO Default Credentials Helped the Attack Expand

During internal discovery, JADEPUFFER found a MinIO object storage service using the default minioadmin:minioadmin login. The agent used that access to list buckets and search for configuration data.

MinIO documentation warns administrators not to use default root credentials in production and recommends setting unique, long, random values for root user and root password settings.

In this case, the agent reportedly pulled a file named credentials.json from an internal bucket. It also planted a scheduled task that contacted attacker infrastructure every 30 minutes, giving the operation a recurring foothold.

Nacos Became the Main Target

The final target was a separate production database server running MySQL alongside Nacos, a configuration and service-discovery platform often used in microservice environments.

The NVD entry for CVE-2021-29441 says affected Nacos versions before 1.4.1 could bypass authentication through a mechanism tied to the user-agent HTTP header. That made older Nacos systems dangerous when exposed or reachable from compromised hosts.

The agent also used a default Nacos signing key problem. Alibaba Cloud guidance says using the default Nacos token.secret.key creates an authentication bypass risk and tells self-managed users to replace the default value.

From Access to Database Destruction

After gaining database access, the agent created a hidden administrator account in Nacos. The first attempt failed, but the agent rewrote its script quickly to fix the hashing issue and continue.

It then encrypted 1,342 Nacos configuration records, dropped the original tables, and created a ransom note table called README_RANSOM. The note demanded Bitcoin payment and listed a ProtonMail contact.

Sysdig said the encryption key was generated randomly and not saved or transmitted. That means paying the ransom would not restore the data because there was no usable recovery key for the attacker to provide.

Important Observed Indicators

TypeIndicatorContext
IP address45.131.66[.]106Initial access and command-and-control activity
IP address64.20.53[.]230Suspected staging server referenced in agent commentary
URLhxxp://45.131.66[.]106:4444/beaconBeacon URL contacted every 30 minutes
CVECVE-2025-3248Langflow unauthenticated remote code execution
CVECVE-2021-29441Nacos authentication bypass
Credential pairminioadmin:minioadminDefault MinIO credentials used to access storage
Filecredentials.jsonSensitive file harvested from internal object storage
Database tableREADME_RANSOMRansom note table created in the victim database

Security teams should use these indicators for threat hunting, but they should not rely on them alone. Attackers can change IP addresses, filenames, wallets, and beacon infrastructure quickly.

Behavior-based detections matter more here. Defenders should watch for Langflow processes launching shells or Python subprocesses, unusual Base64 payload execution, MinIO access from unexpected hosts, and database commands that create ransom tables or drop schemas.

Why the Exfiltration Claim Needs Careful Reading

The agent’s own code claimed that high-value databases had already been backed up to a staging server before destructive commands ran. Sysdig said this was the agent’s assertion, not independently verified evidence of exfiltration.

Sysdig’s report also noted that the Bitcoin address in the ransom demand matched a widely used example address from Bitcoin developer documentation. Researchers could not determine whether the agent hallucinated the address from training data or whether the operator intentionally used it.

That detail shows another unusual risk with AI-driven crime. An autonomous agent may generate destructive output that does not even support the attacker’s own ransom payment workflow.

How Organizations Should Respond

Organizations running Langflow should patch immediately and remove public access to code execution endpoints. The CVE-2025-3248 record confirms that versions before 1.3.0 are affected, so exposed older installations should be treated as high priority.

Security teams should also move AI provider keys and cloud credentials out of application servers. Secrets should be stored in a dedicated secrets manager, rotated regularly, and scoped to the minimum permissions needed.

  • Upgrade Langflow to a fixed version and restrict access to administrative endpoints.
  • Keep AI workflow tools off the public internet unless strong controls are in place.
  • Rotate AI provider, cloud, database, and object storage credentials found on exposed hosts.
  • Search for Base64-encoded Python execution in Langflow logs and process histories.
  • Audit MinIO and other object stores for default credentials and public access.
  • Review Nacos deployments for old versions, default signing keys, and internet exposure.
  • Block unnecessary outbound traffic from application servers.

Hardening Nacos and MinIO

For Nacos, administrators should upgrade old deployments, remove public exposure, replace default signing keys, and avoid connecting the service to databases with root privileges. The CVE-2021-29441 record shows why older authentication logic remains risky years after disclosure.

The Alibaba Cloud Nacos guidance also warns that default token.secret.key values can allow authentication bypass. This makes key rotation a basic hardening step, not an optional cleanup task.

For MinIO, administrators should replace the default root user and root password, disable root API access when practical, and create least-privilege service accounts. MinIO’s root credential documentation explicitly warns against using default credentials in production.

What This Means for Defenders

JADEPUFFER shows that agentic tools can lower the skill needed to run a complete extortion workflow. The agent did not need a new zero-day or a highly polished malware loader to cause serious damage.

The Hacker News described the case as a warning that exposed servers, configuration stores, and database admin accounts will increasingly be probed by machines, not just human operators.

The defensive priority is clear: remove unnecessary exposure, patch old vulnerabilities, rotate secrets, restrict outbound traffic, and monitor runtime behavior. Agentic ransomware makes weak hygiene faster to exploit.

FAQ

What is JADEPUFFER ransomware?

JADEPUFFER is a ransomware operation documented by Sysdig that researchers assessed as agentic ransomware, meaning an AI agent appeared to automate intrusion, credential theft, lateral movement, and database destruction.

How did JADEPUFFER gain initial access?

JADEPUFFER gained initial access through CVE-2025-3248, an unauthenticated remote code execution flaw in Langflow’s code validation endpoint.

What credentials did JADEPUFFER search for?

The agent searched for AI provider API keys, cloud credentials, database credentials, cryptocurrency wallets, seed phrases, configuration files, and stored Langflow secrets.

Why could the victim not recover the encrypted Nacos data?

Sysdig said the encryption key was randomly generated and not saved or transmitted. That means there was no recovery key available, even if the victim paid the ransom.

How can organizations defend against JADEPUFFER-style attacks?

Organizations should patch Langflow, remove AI workflow tools from direct public exposure, rotate exposed secrets, replace default MinIO and Nacos credentials or keys, restrict outbound traffic, and monitor for unusual Python execution and database destruction activity.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages