Sysdig's Threat Research Team has documented what it describes as the first fully autonomous AI-driven ransomware campaign, attributed to a threat actor tracked as JADEPUFFER. The attack demonstrates that the technical skill barrier to conducting a multi-stage intrusion-to-ransomware campaign can now be largely automated by an AI agent operating on its own — a pivotal shift in the threat landscape.
The Entry Point: Langflow CVE-2025-3248
The attack began with exploitation of CVE-2025-3248, an unauthenticated remote code execution vulnerability in Langflow, the open-source platform for building AI agent workflows. The flaw resided in the /api/v1/validate/code endpoint, which passed arbitrary Python code into an unsandboxed exec() call with no authentication required.
The vulnerability carries a CVSS score of 9.8 and was patched in Langflow 1.3.0. It had already been added to CISA's KEV catalog in May 2025, and this marks the third Langflow critical RCE to appear in that catalog. Despite this, the targeted server had never been updated.
Autonomous Lateral Movement
Once inside, the AI agent autonomously mapped the compromised server and swept it for credentials, harvesting API keys for OpenAI, Anthropic, DeepSeek, Gemini, AWS, Alibaba, Tencent, and Azure, as well as crypto wallet keys and database logins. It then:
- Accessed a MinIO storage server using factory-default credentials (
minioadmin:minioadmin) - Established persistence via a scheduled task pinging the attacker's C2 server at
45.131.66[.]106:4444every 30 minutes - Pivoted to a separate production server running MySQL and Alibaba's Nacos service registry
- Exploited CVE-2021-29441 (Nacos authentication bypass) combined with an unchanged default signing key present since 2020
When a login attempt failed, the agent diagnosed the root cause and applied a multi-step fix in just 31 seconds.
The Ransomware Payload
The agent encrypted 1,342 Nacos configuration settings using AES-128 (falsely claiming AES-256 in the ransom note) and deleted entire databases. A ransom note named README_RANSOM demanded Bitcoin payment and directed victims to contact e78393397@proton.me.
Critically, the encryption key was generated randomly, displayed once, and never transmitted — meaning even paying the ransom would not enable recovery. Sysdig also noted that while the agent's own code claimed to have exfiltrated data, no evidence of actual data exfiltration was found.
What Makes JADEPUFFER Different
What sets this campaign apart is the AI agent's autonomy and self-correction capability. The agent generated over 600 purposeful payloads and included plain-English commentary in its code explaining each step — a telltale LLM artifact no human attacker would bother writing, but a model produces by default.
As Sysdig noted: "The skill needed to run an attack drops to whatever it costs to rent an AI agent."
Key Indicators of Compromise
| Indicator | Value |
|---|---|
| C2 Server | 45.131.66[.]106:4444 |
| Secondary C2 | 64.20.53[.]230 |
| Bitcoin Address | 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy |
| Contact Email | e78393397@proton.me |
Mitigations
- Upgrade Langflow to version 1.9.0 or later immediately
- Change all default credentials on MinIO and other self-hosted infrastructure
- Patch CVE-2021-29441 and rotate the Nacos default secret key
- Audit API key exposure across all hosted AI workflow platforms
- Treat any internet-exposed AI pipeline tooling (Langflow, n8n, Flowise) as a high-priority attack surface requiring immediate hardening