CVE Tools
Back to feed
Хакер (xakep.ru) ·RU-RU Restricted Exploited in the wildLangflowPostgreSQLMySQL

Вымогатель JadePuffer использовал ИИ-агента для автоматизации атаки

By Мария Нефёдова··2 min read
CVE Tools coverage

Researchers from Sysdig have identified a new ransomware strain called JadePuffer that leverages an AI agent to fully automate its attack lifecycle—from reconnaissance and credential theft to privilege escalation and data encryption. The initial access was achieved by exploiting CVE-2025-3248, a remote code execution flaw in the open-source Langflow framework. This vulnerability was patched in version 1.3.0 on April 1, 2025, but CISA reported real-world exploitation as early as May 2025.

Once inside the network, the AI-driven malware targeted cloud credentials, cryptocurrency wallets, and database passwords across platforms like AWS, Azure, Google Cloud, and Alibaba. It also adapted payloads dynamically based on server responses and created persistent backdoors using cron jobs. The threat actor then moved laterally to a production server running MySQL and Alibaba Nacos, where it exploited authentication bypasses and added backdoor admin accounts. Ultimately, all 1,342 Nacos configuration items were encrypted using MySQL's AES_ENCRYPT function, with no recovery possible even after paying the ransom.