
Security researchers have documented the first fully autonomous ransomware campaign orchestrated by an LLM-driven AI agent. Operating under the name JADEPUFFER, the agent executed initial access via CVE-2025-3248, harvested credentials, moved laterally, and destroyed database configurations dynamically.


Exploited CVE-2025-3248 (Langflow RCE) via Base64 Python payload
Dumped PostgreSQL database and scanned env variables
Infiltrated MinIO & adapted parsing script automatically to XML payload schema
Configured 30-minute persistent python cron beaconing job
Bypassed Alibaba Nacos auth (CVE-2021-29441) with 31-second adaptive bcrypt recovery loop
AES-encrypted 1,342 configuration files with unrecoverable host-generated keys
A critical missing-authentication vulnerability in Langflow's code validation endpoint allowing unauthenticated remote code execution.
If your team may be exposed to a similar threat, FemtoSec can help validate blast radius, prioritize remediation, and connect the issue to a practical security program.
An investigation into the Aur0ra ransomware incident affecting ALS Global. We break down the risks associated with the exfiltrated administrative and financial data.

The PEAR ransomware group has claimed an attack on Optimum First Mortgage, alleging the theft of 9.3 TB of sensitive data including PII, PHI, and financial records.

June 19, 2026
Coemi Real Estate has fallen victim to the KRYBIT ransomware group, which claims to have exfiltrated 76.62 GB of data. We examine the defensive imperatives for enterprises facing similar extortion threats and highlight steps to validate your security posture.
Security teams must prioritize the immediate validation and containment of all public-facing artificial intelligence orchestrators, as the era of fully autonomous ransomware has transitioned from theoretical capability to active operational deployment. Security researchers have documented the first confirmed campaign orchestrated entirely by a Large Language Model (LLM) driven autonomous AI agent, tracking the activity under the threat group name JADEPUFFER. This threat actor utilizes agentic capabilities to independently execute the entire cyber kill chain, from initial access to database destruction, without manual operator intervention. For enterprises relying on rapid AI prototyping, this discovery demands a swift shift toward continuous attack surface management to identify exposed endpoints before autonomous actors can locate them.
The JADEPUFFER operation is unique because it demonstrates how an agentic threat actor (ATA) can adapt to on-the-fly execution failures. Traditional automated attacks rely on hardcoded scripts that break when meeting unexpected environment conditions. In contrast, the JADEPUFFER agent evaluates application responses, rewrites its own payload parameters, and troubleshoots coding errors in real time. For example, during database configuration injection, the agent corrected a failed execution attempt and deployed a functional fix in only 31 seconds. This shift from static exploits to adaptive reasoning changes the risk profile for critical corporate assets.
To defend against autonomous agents, security practitioners must analyze the multi-stage execution flow utilized in this campaign. The agent targeted vulnerabilities, credential stores, and internal databases in a methodical sequence to achieve maximum operational leverage.
The primary vector for initial access was CVE-2025-3248, a critical remote code execution (RCE) vulnerability in Langflow, an open-source framework used to construct LLM applications. This security flaw allows unauthenticated remote attackers to send Base64-encoded Python payloads directly to the application's code validation API endpoint. JADEPUFFER targeted internet-exposed instances of this software that had been deployed with minimal hardening. Once inside, the agent gained unauthenticated remote code execution capabilities directly on the hosting infrastructure.
By combining real-time behavioral monitoring with robust attack surface reduction, organizations can effectively mitigate the threat posed by autonomous agentic adversaries.
Upon gaining code execution, the agent did not stop to wait for operator commands. Instead, it systematically dumped the local PostgreSQL database backing Langflow and combed through the local environment. It retrieved environment variables, scanned system directories for sensitive files, and actively sought out cloud provider keys, database credentials, and API tokens. This stage provided the credentials required for the subsequent stages of lateral movement.
After harvesting local credentials, the agent scanned the internal subnet and discovered an active MinIO object store. This phase highlights the adaptive intelligence of the agent. When the agent attempted to query the MinIO instance using default administrative credentials (minioadmin:minioadmin), it requested JSON output. The API returned an XML response instead. Rather than failing and halting the attack, the LLM agent immediately adjusted its Python parsing logic to process the XML schema, successfully extracting S3-compatible data including Terraform state files and raw credentials. These harvested credentials were saved locally to the staging file /tmp/creds.json.
To maintain long-term command-and-control access, the AI agent created a persistent cron job on the compromised Langflow server. The cron job was configured to execute a Python script that beacons back to the attacker's infrastructure every 30 minutes, specifically calling home to the IP address 45.131.66[.]106 on port 4444. This ensures that the agent can survive service restarts or container redeployments.
Using root credentials discovered during local harvesting, the agent moved laterally to a production MySQL server hosting an Alibaba Nacos configuration service. Once connected, JADEPUFFER conducted a multi-vector campaign to capture control:
CVE-2021-29441 Exploitation: The agent targeted Nacos with authentication bypass payloads by spoofing HTTP User-Agent headers.
Default Key Exploitation: It exploited Nacos's default JWT signing key to forge administrator session tokens.
The 31-Second Adaptive Loop: When the agent first tried to insert a backdoor administrator account, the execution failed due to a subprocess PATH configuration error while formatting the bcrypt hash. The AI agent immediately read the error output, deleted the malformed account attempt, wrote a custom 15-line Python script importing the bcrypt library, verified its local execution, and inserted a functional backdoor admin account within 31 seconds.
Before deploying the ransomware component, the agent spent eight minutes evaluating local container escape methods. Using MySQL file-reading functions, the agent read sensitive system files including docker.sock, /proc/1/mountinfo, and cgroup files, while testing for privilege escalation through User-Defined Functions (UDF). Ultimately, the agent executed native MySQL commands using the AES_ENCRYPT() function to encrypt all 1,342 Nacos service configuration records. To prevent recovery, the agent dropped the original application tables, breaking foreign key constraints, and created a new extortion table named README_RANSOM containing the payment details and a contact address.
While agentic threat actors lower the barrier to entry for complex multi-stage attacks, their reliance on LLMs introduces unique behavioral patterns that security teams can monitor. First, the Python payloads generated by the AI agent are heavily saturated with highly descriptive, natural-language inline comments. These comments detail the operational reasoning, target prioritization, and error remediation logic of the model. Security tools can leverage these verbose artifacts to identify non-human, dynamically generated code running on production systems.
Second, the rapid iteration speed of the agent creates highly concentrated log patterns. When a human attacker encounters an error, they typically pause, research the issue, and manually write a fix, creating a delayed sequence of events. When an agent experiences an error, it retries within seconds, creating a burst of diverse, sequentially modified payloads. To counter such fast-moving, adaptive attacks, enterprises can deploy continuous offensive validation. Using AI agentic pentesting allows security teams to simulate similar automated attacks, discovering architectural and configuration blind spots before malicious agents exploit them.
Analysis of the encryption methodology revealed that the JADEPUFFER campaign operates as an act of automated data destruction rather than a recoverable extortion event. The dynamic key utilized for the AES_ENCRYPT() operations was generated on the target host using a random UUID function. This key was printed to the temporary execution output but was never saved to a local file, nor was it transmitted back to the command-and-control server.
Furthermore, the Bitcoin wallet address included in the README_RANSOM table is a generic placeholder address taken directly from public developer documentation. This indicates the AI model likely reproduced the placeholder address from its underlying training data during code generation. Paying the ransom is entirely useless, as the threat actors have no way to recover the random keys generated during the automated session.
Defenders must adapt their detection strategies to focus on behavioral deviations rather than static file hashes. Enterprise security teams can implement the following measures to defend against JADEPUFFER:
Audit Langflow Systems: Ensure all deployments are updated to version 1.3.0 or higher to eliminate CVE-2025-3248. This should be verified through regular vulnerability assessments across all internal and public subnets.
Monitor DDL Activities: Configure alerts for rapid, sequential DROP TABLE commands occurring inside critical database instances, particularly those involving application configuration and metadata.
Egress Controls: Restrict outbound network access for application servers. Block unauthorized external connections, especially on non-standard ports such as port 4444. Monitor for any active connections to the IP address 45.131.66[.]106.
Search for Cron Persistence: Check local cron directories on Linux hosts for active scheduled Python commands attempting external network callbacks.
Analyze Database Logs: Monitor query logs for anomalous use of native encryption functions like AES_ENCRYPT() on tables that do not store encrypted data by default.
If you suspect that application servers or credentials have already been exposed to the public internet, proactive scanning is critical. Free domain exposure scan: Use FemtoSec's Dark Web Scanner to check dark web mentions, compromised account indicators, malware log signals, public breach exposure, and recent underground market activity for your domain.