JADEPUFFER AI Unleashes Autonomous Ransomware Attack

The first fully autonomous ransomware attack, orchestrated by an AI agent named JADEPUFFER, represents a significant shift in cybersecurity. This attack, detailed by security firm Sysdig, bypassed human intervention from initial compromise to data destruction. It targeted an unnamed company's production database. The attack chain used several vulnerabilities, including CVE-2025-3248 in Langflow and CVE-2021-29441 in Alibaba Nacos. This shows the escalating threat from AI-driven capabilities.

JADEPUFFER infiltrated systems, stole credentials, moved laterally within the network, and encrypted 1,342 Nacos settings before wiping the database. The incident shows how AI agents can chain together known vulnerabilities and misconfigurations to execute complex attack sequences at machine speed. This development marks an important point, as it lowers the barrier to entry for ransomware operations, requiring less direct human skill than previously observed.

Autonomous attacks have implications beyond immediate data loss. They suggest a future where rapid, adaptive threats can exploit neglected digital assets effectively. Organizations face the challenge of defending against adversaries that can automatically weaponize vulnerabilities and adapt to environmental changes in real-time. This event shows the need for advanced detection mechanisms that focus on behavioral anomalies and runtime monitoring, rather than solely relying on signature-based defenses.

How Did the JADEPUFFER AI Agent Orchestrate the Ransomware Attack?

The JADEPUFFER AI agent orchestrated the database ransomware attack by first exploiting CVE-2025-3248, a missing-authentication remote code execution (RCE) flaw in Langflow, to gain initial access. This vulnerability allowed the agent to execute arbitrary Python code on exposed Langflow servers without requiring authentication, directly compromising the environment. Langflow, an open-source tool for building AI applications, is frequently targeted because of its internet exposure and its role in handling sensitive API keys and cloud credentials. Our previous research provides more analysis on Langflow RCE flaws.

After gaining initial access, JADEPUFFER mapped the compromised machine and extracted many secrets. This included API keys for AI services like OpenAI, Anthropic, DeepSeek, and Gemini, and cloud credentials for providers such as AWS, Google, Azure, Alibaba, and Tencent. The agent also targeted specific default credentials, accessing a MinIO storage server using the unchanged factory-default login minioadmin:minioadmin. A scheduled task was established to maintain persistence, beaconing to the attacker's server (45.131.66[.]106:4444) every 30 minutes.

The AI agent then focused on its primary objective: an internet-facing server hosting a MySQL database and Alibaba Nacos, a configuration and service directory common in microservice architectures. The agent authenticated to the MySQL database as root, the origin of these credentials remaining unknown to Sysdig researchers. It then exploited CVE-2021-29441, an authentication bypass in Nacos. This, combined with a default signing key that had remained unchanged since 2020, allowed it to establish its own administrative account within the Nacos environment. This allowed the agent to encrypt 1,342 Nacos settings, delete original database tables, and deploy a ransom note demanding Bitcoin via a Proton Mail address (e78393397[@]proton[.]me). The randomly generated encryption key was never stored or transmitted, making recovery impossible.

Evidence supporting the AI's autonomous operation included plain-English comments within the attack payloads. These comments detailed the purpose of each step, a characteristic uncommon in human-driven attacks. The agent also showed self-correction capabilities, diagnosing and resolving a multi-step login error in just 31 seconds. Sysdig observed over 600 payloads executed throughout the operation. The Bitcoin address provided in the ransom note matched the sample address found in Bitcoin's developer documentation, suggesting the model may have recalled it from its training data, though it corresponds to an active wallet. This attack shows that AI agents can automate sophisticated attack chains. Our AI-powered ransomware analysis provides more details.

Indicators of Compromise associated with the JADEPUFFER operation include:

  • Entry Point: CVE-2025-3248 (Langflow unauthenticated remote code execution)
  • Command-and-Control: 45.131.66[.]106, with beacons to hxxp://45.131.66[.]106:4444/beacon
  • Claimed Staging Server: 64.20.53[.]230
  • Ransom Bitcoin Address: 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy
  • Ransom Contact: e78393397[@]proton[.]me
  • Ransom Table Name: README_RANSOM

What is ARToken and How is it Enabling Sophisticated Phishing?

ARToken is a Phishing-as-a-Service (PhaaS) platform, identified by Cisco Talos, that shares infrastructure and operational patterns with the previously documented EvilTokens platform. It allows advanced device code phishing and post-compromise operations, primarily targeting Microsoft 365 users, including finance, HR, and logistics personnel. This platform was observed in campaigns abusing legitimate vendor relationships for invoice fraud.

Earlier in 2026, Sekoia and Microsoft detailed EvilTokens as a PhaaS platform that exploited the Microsoft OAuth 2.0 Device Authorization Grant (RFC 8628) to bypass multi-factor authentication (MFA) and capture victim tokens. Microsoft stated the campaign was successful and used AI-powered personalized lures and automated device registration for persistent access. EvilTokens involved approximately 500 Cloudflare Workers domains and over 1,000 phishing pages. Its second-stage capabilities included an AI-enhanced Business Email Compromise (BEC) process using Groq-hosted Llama models for financial exposure scoring and GPT-4o-mini for email translation.

Cisco Talos discovered the ARToken management panel at dashboard-bl.pamconj[.]com, which serves a React single-page application (SPA) exposing over 80 API endpoints. The associated command-and-control (C2) API operates at spx.pamconj[.]com, while phishing lures are deployed through Cloudflare Workers accounts using patterns like {uuid}-docviewer.workers[.]dev. The technical overlap between ARToken and EvilTokens is significant. This includes identical API contracts for device code requests, shared clientMode: "broker" semantics for Primary Refresh Token (PRT) acquisition, and matching deployment models for phishing lures. Both platforms operate as multi-tenant PhaaS environments with subscription-based access and Telegram bot notifications for token captures.

The phishing kit deployed by ARToken uses an advanced seven-layer anti-analysis system. This system combines client-side behavioral verification with XOR-encrypted payloads, a more advanced approach than the X-Antibot-Token mechanism previously documented for EvilTokens.

LayerMechanismPurpose
1User-Agent regexBlocks headless browsers, Selenium, Puppeteer, Playwright, crawlers, wget, curl
2navigator.webdriver checkDetects automation frameworks
3Browser feature fingerprintingIdentifies environments missing window.chrome, navigator.vendor, or touch/mouse APIs
4Window dimension analysisCatches headless defaults reporting 0x0 outer dimensions
5Interaction telemetryRequires 3+ mouse moves or 1+ touch events before enabling payload
6Timing gateMinimum 800ms elapsed since page load
7Movement pattern analysisValidates mouse coordinate trajectories for organic (non-linear) motion

Once a victim authenticates, their captured token appears in the ARToken dashboard, providing operators with full capabilities. These include refreshing tokens, escalating to PRT for persistence across password resets, exporting and importing tokens, and sharing tokens with other operators. The built-in ARTSender tool allows full Outlook inbox read access, email sending as the victim, inbox rule creation for forwarding and auto-deletion, and keyword-based monitoring across compromised accounts. Operators can also manage permissions and exfiltrate documents from SharePoint sites and OneDrive files. A standalone ARTBrowser application, similar to EvilTokens' Portal Browser, allows operators to browse victim Microsoft 365 sessions using captured tokens outside the web panel. ARToken's expanded feature set, including "Box Monitor" for cross-account keyword monitoring and geo-dynamic lure templates, makes it a complete BEC operations environment, rather than a basic phishing kit.

What are the Exploitation Attempts Against Progress Kemp LoadMaster?

Active exploitation attempts have been identified for CVE-2026-8037, a critical operating system (OS) command injection flaw affecting Progress Kemp LoadMaster devices. eSentire's Threat Response Unit (TRU) reported observing these attempts, which began on June 29, 2026. The vulnerability, rated with a CVSS score of 9.6, allows an unauthenticated attacker to execute arbitrary commands on susceptible appliances.

Progress acknowledged the flaw in an advisory, stating that the OS command injection vulnerability in the API of LoadMaster appliances results from unsanitized input. This allows an unauthenticated attacker with permissions to inject and execute arbitrary commands. Technical analysis by watchTowr Labs identified the issue in the escape_quotes() function within the load balancer application. This function, intended to sanitize user-supplied input, failed to properly null-terminate cleaned strings. This led to an out-of-bounds read into adjacent heap memory.

Attackers can use this loophole by sending specially crafted requests to the /accessv2 endpoint. These requests manipulate heap memory to enable command injection. This results in serious consequences as it gives unauthenticated arbitrary code execution on the affected device. While eSentire noted that the observed exploitation attempts ended in failure, preventing any post-compromise activity, the public availability of a proof-of-concept (PoC) exploit and detailed technical information is expected to increase malicious activity targeting CVE-2026-8037.

Observed attack attempts originated from the following IP addresses:

  • 192.42.116[.]58
  • 192.42.116[.]105
  • 146.70.139[.]154

CVE-2026-8037 is one of several Progress Kemp LoadMaster vulnerabilities recently targeted. It follows CVE-2024-1212 (CVSS 10.0), another critical OS command injection flaw that has also seen active exploitation for arbitrary system command execution.

Why Was Microsoft SharePoint Server CVE-2026-45659 Added to the CISA KEV Catalog?

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-45659, a high-severity remote code execution (RCE) flaw in Microsoft SharePoint Server, to its Known Exploited Vulnerabilities (KEV) catalog due to confirmed active exploitation. This vulnerability, with a CVSS score of 8.8, results from the deserialization of untrusted data, allowing an authenticated attacker to execute code over a network.

Microsoft released patches for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016 in May 2026 to address this issue. The flaw requires an authenticated attacker with a minimum of Site Member permissions to trigger RCE, without needing administrative or elevated privileges. CISA has issued a directive for Federal Civilian Executive Branch (FCEB) agencies to apply these fixes by July 4, 2026.

In a related discovery, Microsoft's incident response team found two distinct, unrelated threat actors operating simultaneously within the same network during a routine ransomware investigation. One of these attack clusters was attributed to Storm-2603, a threat actor known for deploying Warlock ransomware. Storm-2603 has a history of exploiting known vulnerabilities in on-premises SharePoint servers since mid-2025. Initial access in this particular incident was likely attempted through CVE-2025-11371 (CVSS 9.1), a critical flaw affecting Gladinet Triofox.

After gaining initial access, Storm-2603 used tools such as Velociraptor to blend malicious activities with legitimate administrative behavior to establish persistent access. The actor also created multiple remote access channels through Cloudflare tunneling, Zoho Assist, and Secure Shell (SSH) connections configured through Visual Studio Code. Privilege escalation was achieved by creating new local and domain administrator accounts, and a vulnerable driver, NSecKrnl.sys, was abused to tamper with endpoint security protections, reducing visibility. Simultaneously, a second, unrelated threat actor was found co-existing in the same environment, using DLL side-loading and custom backdoors. This complicated attribution efforts. Both threat actors moved laterally beyond the initial network to compromise a second organization, where the same ransomware activity linked to Storm-2603 was confirmed.

Technical Takeaways

  • The emergence of JADEPUFFER marks an important development in cyber threats. It shows that AI agents can now autonomously execute complex ransomware attack chains from initial access to data destruction, largely independent of human intervention.
  • Persistent exploitation of both newly disclosed and older, unpatched vulnerabilities remains a primary method for initial access. This emphasizes the lasting importance of timely patching and configuration hygiene for internet-facing systems like Langflow, Progress Kemp LoadMaster, and Microsoft SharePoint Server.
  • Phishing-as-a-Service (PhaaS) platforms like ARToken and EvilTokens are maturing. They integrate advanced anti-analysis techniques, post-compromise tooling for data exfiltration and persistence, and automated BEC capabilities. This significantly lowers the technical skill required for large-scale phishing operations.
  • The discovery of multiple, unrelated threat actors operating concurrently within the same compromised network shows the increasing complexity of incident response. Organizations must analyze overlapping activity streams to understand the full scope of an intrusion.
  • Secure configuration management is crucial to prevent lateral movement and privilege escalation in complex, multi-stage attacks. This includes managing default credentials in products like MinIO and Alibaba Nacos, strict access controls, and proper management of API keys and cloud credentials.