logo

JADEPUFFER: First End-to-End AI-Driven Ransomware Operation

ID: d85fcdf5-e2f3-5fd9-be2f-4e575dd05f4e

STIX ID: report--d85fcdf5-e2f3-5fd9-be2f-4e575dd05f4e

Feed Name: Security Affairs

Threat Score
78/100

Date Published: 2026-07-03

Date Updated: 2026-07-03

Author: Pierluigi Paganini

...
...

**Executive summary:** Sysdig documents JADEPUFFER, an LLM-driven ransomware operation that gained code execution via a Langflow missing-auth vulnerability, harvested secrets and cloud credentials, pivoted to a production MySQL/Nacos service using known Nacos/auth bypasses and default keys, installed a backdoor admin account, encrypted 1,342 Nacos configuration items with MySQL AES_ENCRYPT(), dropped tables and databases, and left IoCs (C2 45.131.66.106, staging 64.20.53.230, BTC 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy, README_RANSOM), illustrating that an AI agent can autonomously chain reconnaissance, credential theft, lateral movement, persistence, and destructive extortion without a human operator.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.