JADEPUFFER agentic Langflow ransomware campaign
Campaign
Summary
Hide ▲
Show ▼
The JADEPUFFER operation abused CVE-2025-3248 on an internet-facing Langflow instance and then escalated into a destructive database-extortion campaign against a production database server. The workflow was adaptive and fully automated, letting the operator retry and pivot toward the intended target. That combination of exploit-driven access and automated extortion increases the speed and resilience of the operation. It collapses access, targeting, and pressure tactics into a single attack chain.
Related Happenings
Reynolds side-loaded-loader and GotoHTTP ransomware campaign
Campaign
H score37
First: 10.02.2026 16:36
Last: 10.02.2026 16:36
Sources 1
About this happening:
The **Reynolds** ransomware operation now shows **pre-deployment staging** and **post-deployment access tooling**, increasing the likelihood of persistent compromise on the target...
Reynolds side-loaded-loader and GotoHTTP ransomware campaign
CampaignAbout this happening: The **Reynolds** ransomware operation now shows **pre-deployment staging** and **post-deployment access tooling**, increasing the likelihood of persistent compromise on the target...
Timeline
-
03.07.2026 21:55 2 articles · 6d ago
JADEPUFFER uses CVE-2025-3248 to extort a victim's production database server
Initial DisclosureJADEPUFFER gained initial access to an internet-facing Langflow instance through CVE-2025-3248, then ran an adaptive and fully automated campaign that pivoted to the intended target and executed a destructive database-extortion playbook against the victim's production database server.
Show sources
- New Avalon Malware Framework Packs CrownX Ransomware Capabilities — thehackernews.com — 03.07.2026 21:55
- Researchers Claim First Fully Agentic Ransomware: JadePuffer — www.infosecurity-magazine.com — 06.07.2026 11:30