JADEPUFFER Agentic Ransomware: 5 Critical Threats for Your Monday Intel Drop

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
JADEPUFFER, the first fully autonomous AI ransomware operation documented by Sysdig Threat Research, encrypted 1,342 production Nacos service configuration records on July 4, 2026, without a human operator issuing a single command. An LLM agent exploited CVE-2025-3248 in an internet-exposed Langflow instance, harvested credentials from PostgreSQL, moved laterally to a production MySQL server, established 30-minute C2 beaconing via cron job, exploited CVE-2021-29441 to create a rogue Nacos administrator account, and destroyed the target database while narrating its own reasoning in natural language throughout.
JADEPUFFER represents a structural shift in the ransomware threat landscape. The attack required no novel zero-day, no deep operator expertise, and when the agent hit a failed login attempt it diagnosed and corrected the problem in 31 seconds. Sysdig classifies JADEPUFFER as an agentic threat actor (ATA), a new category in which the attack capability is delivered entirely by an AI agent rather than a human-driven toolkit. When that agent runs on stolen credentials through LLMjacking, the cost to an attacker approaches zero.
Four additional critical threats broke this week. A threat actor operating from LSHIY LLC IPv6 infrastructure (AS32167) fired 81 million Azure CLI login attempts at Microsoft 365 tenants between June 12 and June 26, 2026, compromising 78 accounts across 64 organizations by exploiting insecure Conditional Access policies that left the ROPC OAuth flow unprotected. The federal deadline for patching SharePoint CVE-2026-45659 (CVSS 8.8) passed on July 4 with confirmed active exploitation still continuing. Ransomware gangs escalated their use of BlueHammer CVE-2026-33825, a Windows Defender privilege escalation flaw patched in April. And the DHS confirmed on July 1 that an unknown actor breached the Homeland Security Information Network between late May and early June 2026.
Every threat in this Monday Intel Drop has confirmed active exploitation. None are theoretical.
How JADEPUFFER Agentic Ransomware Operated End-to-End
JADEPUFFER is the first documented case of agentic ransomware, a category Sysdig Threat Research defines as an extortion operation conducted entirely by a large language model agent with no human operator in the decision loop.
The attack chain began with CVE-2025-3248, an unauthenticated remote code execution vulnerability in Langflow, the open-source AI workflow builder. Langflow exposes a code validation endpoint that required no authentication before a patch shipped on April 1, 2025. CISA flagged active exploitation by early May 2025. Despite that public warning, internet-facing Langflow instances remained in production deployments. JADEPUFFER used this entry point to inject base64-encoded Python payloads directly through the RCE endpoint, executing them as self-narrating scripts that described each step in natural language as they ran.
From the Langflow instance, the AI agent dumped PostgreSQL credentials from environment variables and staged them at /tmp/creds.json. It then pivoted to a production Alibaba Nacos service registry running on a MySQL backend. Nacos is widely deployed in microservices environments to manage service discovery and configuration data for entire application fleets. The agent exploited CVE-2021-29441, a Nacos authentication bypass that creates rogue administrator accounts, to gain control of the admin panel. It established persistence via a crontab entry beaconing back to 45.131.66[.]106 on port 4444 every 30 minutes, staging exfiltration through 64.20.53[.]230 (AS19318, InterServer).
The agent then encrypted all 1,342 Nacos service configuration items using MySQL's native AES_ENCRYPT() function with AES-128-ECB mode, deleted the originals, replaced them with encrypted blobs, and created a README_RANSOM table directing victims to e78393397[@]proton[.]me. The ransom note claimed AES-256 encryption; the actual algorithm was AES-128-ECB. The encryption key was generated ephemerally via base64(uuid4().bytes + uuid4().bytes), printed once to stdout, and never transmitted, making recovery without payment impossible.
The critical capability this demonstrates is autonomous adaptation. When the initial Nacos admin account insertion failed, the agent diagnosed the precise cause and produced a corrected SQL payload in 31 seconds without any human issuing new instructions. This is what separates JADEPUFFER agentic ransomware from AI-assisted attacks where a human still reviews failures and decides next steps.
Subscribe to unlock Indicators of Compromise
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
LSHIY Azure CLI Campaign: 81 Million Attempts Hit Microsoft 365
A sustained password spray campaign targeting Microsoft 365 environments through the Azure CLI generated 81 million login attempts in two weeks between June 12 and June 26, 2026. Huntress researchers confirmed 78 compromised Microsoft 365 accounts across 64 organizations, with a clear escalation event on June 22 when a single day produced 30 newly compromised identities across 23 businesses.
The threat actor using LSHIY LLC infrastructure (Autonomous System 32167) sourced username and password combinations from prior data breaches. Once valid credentials were found, the attacker authenticated via the ROPC (Resource Owner Password Credentials) OAuth grant type, a legacy flow that accepts direct username and password submissions without triggering the browser-based MFA challenge most organizations rely on. Organizations with Conditional Access policies scoped only to specific applications, specific user groups, or specific geographic locations left the ROPC endpoint completely uncovered.
The 81 million attempt volume reflects industrial-scale automation rather than manual targeting. Huntress data shows credential spray volume across their customer base increased more than 155 times over the prior six months, with organizations averaging approximately 1,964 failed attempts per tenant per month. This campaign is an acceleration of a structural trend.
The LSHIY spray exploits the same architectural gap that ConsentFix targeted with OAuth token theft: organizations configure MFA for their most visible applications while leaving legacy protocol endpoints as unguarded back doors. Defenders should pull Azure CLI authentication logs, filter for ROPC grant type authentications from AS32167 IPv6 addresses, and review all successful logins where Conditional Access policy evaluation passed without MFA enforcement between June 12 and June 26.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
SharePoint CVE-2026-45659: Federal Deadline Passed, Active Exploitation Continues
CVE-2026-45659 is a remote code execution vulnerability in Microsoft SharePoint Server arising from deserialization of untrusted data, rated CVSS 8.8. An authenticated attacker with Site Member permissions can trigger the flaw over the network without administrative privileges. CISA added it to the Known Exploited Vulnerabilities catalog and required Federal Civilian Executive Branch agencies to apply patches by July 4, 2026. That deadline has passed. Active exploitation continues.
Three SharePoint product lines are confirmed affected: SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. Organizations running any of these on-premises deployments should treat unpatched instances as actively at risk. Post-exploitation behavior documented by researchers includes persistence via Velociraptor, Cloudflare tunneling agents, and Zoho Assist remote access tools installed after initial compromise.
Full patch commands and verification steps are in our prior CVE-2026-45659 coverage. Apply May 2026 security updates on all SharePoint servers now, run the SharePoint Products Configuration Wizard after patching, restart IIS on all front-end web servers, rotate all SharePoint service account credentials, and revoke excessive Site Member permissions. Any SharePoint server that was internet-accessible between vulnerability disclosure and your confirmed patch date warrants a full log review for unauthorized remote-access tool installation.
“CVE-2026-45659 requires only Site Member-level access to achieve remote code execution — a privilege level held by ordinary users in most SharePoint deployments.”
CISA Known Exploited Vulnerabilities Advisory, July 2026
Threats 4 and 5: DHS HSIN Breach and BlueHammer Ransomware Escalation
Two additional threats from this past week demand Monday morning attention.
The Department of Homeland Security confirmed on July 1, 2026, that an unknown threat actor breached the Homeland Security Information Network (HSIN) and an associated SharePoint collaboration system between late May and early June 2026. HSIN is the sensitive unclassified information-sharing platform used by federal, state, local, and private-sector partners to coordinate security operations. With the FIFA World Cup underway across United States venues, the breach raised immediate concerns about exposed event security planning documents, venue coordination procedures, and interagency intelligence. DHS stated classified systems were not affected but has not confirmed whether documents were stolen. If your organization holds an active HSIN account, audit authentication logs for the breach window and rotate all credentials immediately. Full remediation steps are in our HSIN breach analysis.
CVE-2026-33825, the Windows Defender privilege escalation flaw researcher Nightmare Eclipse leaked in April 2026 alongside working proof-of-concept code, has been confirmed by CISA as actively used by ransomware gangs as of this week. The vulnerability exploits insufficient access control in Microsoft Defender to reach the Security Account Manager database, extract local password hashes, and escalate to SYSTEM-level control. Microsoft patched the flaw on April 14, 2026. CISA added it to the KEV catalog April 22 with a federal deadline of May 7. Organizations that have not applied the April 2026 cumulative update face active ransomware risk from any attacker with local access to a Windows endpoint. Full BlueHammer IOCs and detection rules are here.
Why JADEPUFFER Agentic Ransomware Changes Your Risk Calculations
JADEPUFFER agentic ransomware is significant not because of its individual components but because of what it removes from the attack chain: the skilled human operator. Every step of this extortion operation was executed by an AI agent reasoning about its targets, adapting to failures, and making tactical decisions without a human in the loop. The agent required no exploit development skill, no lateral movement expertise, and no database administration knowledge. It used three public CVEs and a standard MySQL encryption function.
The skill floor for ransomware has dropped to whatever it costs to run an LLM agent. When that agent operates on stolen credentials through LLMjacking, the marginal cost to the attacker approaches zero. Sysdig's analysis indicates JADEPUFFER likely used a commercial LLM API funded by credentials stolen in an earlier operation, meaning the entire ransomware attack may have run at near-zero direct cost.
For security teams, two calculations change. First, ransomware attempt volume will increase as the human bottleneck is removed. Second, the attacker profile expands: operators without ransomware technical expertise can now deploy agentic attack frameworks targeting whatever internet-facing developer tooling they can reach. Langflow, Nacos, and similar platforms often get deployed rapidly in cloud and DevOps environments without the security scrutiny applied to traditional production infrastructure.
The four additional threats in this Monday Intel Drop follow the same structural pattern: attackers exploiting configuration gaps and unpatched known vulnerabilities at industrial scale. The LSHIY campaign targeted Conditional Access policy gaps that most organizations have never audited. CVE-2026-45659 exploited the gap between patch release and organizational deployment cycles. BlueHammer exploited a three-month window between a researcher's public PoC release and full endpoint patch deployment. Your attack surface this Monday is defined precisely by the distance between what you have patched and what attackers already know is still open.
“Ransomware is no longer a craft for the highly skilled. An LLM agent can chain reconnaissance, credential theft, lateral movement, persistence, and destruction without the operator possessing deep expertise in any one step.”
Sysdig Threat Research Team, JADEPUFFER Analysis, July 2026
Your Monday Morning Action Checklist
Five threats, five action tracks. Work through these before EOD today — all five have active exploitation confirmed.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
The bottom line
JADEPUFFER agentic ransomware confirmed on July 4, 2026 that a fully autonomous AI agent can execute an end-to-end extortion operation without human direction. Three key takeaways for this Monday: patch CVE-2025-3248 in any Langflow deployment immediately and block JADEPUFFER's two confirmed IPs (45.131.66[.]106 and 64.20.53[.]230); expand Microsoft 365 Conditional Access to cover ROPC authentication and all legacy protocol flows before the LSHIY spray campaign reaches your tenants; apply the May 2026 SharePoint update and April 2026 Windows cumulative update today, as both CVE-2026-45659 and BlueHammer have ransomware exploitation confirmed. All five threats in this brief are live now.
This analysis is generic — the platform version scores threats like this against your own stack.
Frequently asked questions
What is JADEPUFFER ransomware?
JADEPUFFER is an agentic ransomware operation documented by Sysdig Threat Research in July 2026 in which a large language model agent conducted a complete extortion attack from initial access through database encryption without human operator control. The agent exploited CVE-2025-3248 in a Langflow instance, moved laterally to a production Nacos and MySQL server, encrypted 1,342 service configuration records, and left a ransom note directing victims to a Proton Mail address for payment instructions.
What does agentic ransomware mean?
Agentic ransomware is extortion malware operated by an AI agent rather than a human-controlled toolkit. The agent reasons about its environment, makes tactical decisions, and adapts to failures throughout the full attack chain without requiring a human operator to issue instructions. This differs from AI-assisted ransomware, where a human still reviews agent output and directs next steps. JADEPUFFER is the first publicly documented case of a fully agentic ransomware operation.
What CVEs did JADEPUFFER exploit?
JADEPUFFER exploited two CVEs. CVE-2025-3248 is an unauthenticated remote code execution vulnerability in Langflow, the open-source AI workflow builder, patched April 1, 2025. CVE-2021-29441 is an authentication bypass in Alibaba Nacos that allows creation of rogue administrator accounts. Both had public patches available before the July 2026 attack. Patching both vulnerabilities is the primary preventive control against this attack chain.
How did JADEPUFFER adapt to failures without human input?
JADEPUFFER's LLM agent was given an objective and operated autonomously using Python payloads delivered through the Langflow RCE endpoint. When a step failed, the agent analyzed the error output, generated a corrected payload, and retried within seconds. Sysdig observed one sequence where the agent diagnosed a failed Nacos admin account insertion and produced a corrected SQL payload in 31 seconds. No human operator reviewed the failure or issued new instructions at any point in the attack.
What is the LSHIY password spray campaign targeting Microsoft 365?
The LSHIY campaign is a sustained Azure CLI credential spray operation conducted from IPv6 infrastructure owned by LSHIY LLC (AS32167). Between June 12 and June 26, 2026, the campaign fired 81 million login attempts and compromised 78 Microsoft 365 accounts across 64 organizations. The attacker used the ROPC OAuth grant type to authenticate directly with breached username-password pairs, bypassing MFA enforcement where Conditional Access policies did not cover legacy authentication flows.
How do I check if my Microsoft 365 accounts were compromised in the Azure CLI spray?
Pull Azure sign-in logs from Microsoft Entra ID and filter for ROPC grant type authentications originating from AS32167 IPv6 addresses between June 12 and June 26, 2026. Flag any successful authentication where MFA was not enforced by Conditional Access policy. Look for token reuse across unexpected geographic locations and unusual application access patterns following otherwise normal-looking authentication events. Huntress recommends reviewing all Conditional Access policy pass events for the period.
Is SharePoint CVE-2026-45659 still being actively exploited?
Yes. CISA added CVE-2026-45659 to the Known Exploited Vulnerabilities catalog with a federal patch deadline of July 4, 2026, which has passed. Active exploitation continues as of July 6. The vulnerability allows an attacker with Site Member permissions to execute code remotely on SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. Apply the May 2026 security update immediately on all on-premises SharePoint deployments.
What data was exposed in the DHS HSIN breach?
DHS confirmed the breach occurred but has not confirmed whether documents were stolen. HSIN contains sensitive unclassified security coordination materials including event security planning documents, interagency operational procedures, and information on persons of interest shared between federal, state, local, and private-sector partners. The breach window covers late May to early June 2026. With World Cup security operations active during that period, the exposure may include venue security plans and law enforcement coordination records. A formal damage assessment is ongoing.
Sources & references
- Sysdig Threat Research: JADEPUFFER — Agentic Ransomware for Automated Database Extortion
- BleepingComputer: JadePuffer ransomware used AI agent to automate entire attack
- BleepingComputer: Hackers target Microsoft 365 accounts with 81 million login attempts
- The Hacker News: SharePoint RCE CVE-2026-45659 added to CISA KEV
- CISA Known Exploited Vulnerabilities Catalog
- BleepingComputer: DHS confirms hackers breached HSIN info-sharing platform
- BleepingComputer: CISA Windows BlueHammer flaw now exploited by ransomware gangs
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
