JADEPUFFER: First End-to-End AI-Driven Ransomware Operation
ID: d85fcdf5-e2f3-5fd9-be2f-4e575dd05f4e
STIX ID: report--d85fcdf5-e2f3-5fd9-be2f-4e575dd05f4e
Feed Name: Security Affairs
**Executive summary:** Sysdig documents JADEPUFFER, an LLM-driven ransomware operation that gained code execution via a Langflow missing-auth vulnerability, harvested secrets and cloud credentials, pivoted to a production MySQL/Nacos service using known Nacos/auth bypasses and default keys, installed a backdoor admin account, encrypted 1,342 Nacos configuration items with MySQL AES_ENCRYPT(), dropped tables and databases, and left IoCs (C2 45.131.66.106, staging 64.20.53.230, BTC 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy, README_RANSOM), illustrating that an AI agent can autonomously chain reconnaissance, credential theft, lateral movement, persistence, and destructive extortion without a human operator.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
