Back to Intelligence

JadePuffer: Defending Against the First Fully Agentic AI Encryption Campaign

SA
Security Arsenal Team
July 6, 2026
6 min read

The cybersecurity landscape has shifted from automated scripts to autonomous decision-making. Researchers have identified JadePuffer, the first confirmed "fully agentic" encryption-based cyber incident. This campaign marks a critical evolution in threat actor tactics: rather than running static malware binaries, the attackers utilize autonomous AI agents capable of reconnaissance, lateral movement, and data encryption without constant human supervision.

For defenders, this represents a step-change in urgency. Traditional signature-based defenses are insufficient against an adversary that can dynamically alter its attack path based on real-time environmental feedback. We are no longer just defending against code; we are defending against code that thinks.

Technical Analysis

The Agentic Model

Unlike traditional ransomware that follows a hardcoded path (e.g., Encrypt C:\ -> Drop Note -> Exit), JadePuffer leverages Agentic AI workflows. These agents are typically built using frameworks like LangChain, AutoGen, or custom Python/Node.js scripts wrapped around Large Language Model (LLM) APIs.

  • The "Thinking-Doing" Loop: The agent queries an LLM (or a local model) to decide the next step (e.g., "Should I encrypt this file?", "How do I bypass this defender?").
  • Tool Use: The agent utilizes OS tools (PowerShell, Bash, SMB tools) to execute decisions.
  • Encryption: The objective remains data destruction via encryption, but the targeting is adaptive and selective based on the agent's "judgment."

Affected Platforms and Exploitation

  • Delivery: Likely via phishing or initial access brokers, dropping a script-based agent (Python/Node) rather than a PE executable.
  • Command & Control (C2): Instead of standard beaconing to a hardcoded IP, the agent communicates with legitimate AI API endpoints (e.g., OpenAI, Azure OpenAI, Anthropic) or less-monitored cloud storage to retrieve instructions or upload telemetry, blending in with normal traffic.
  • Exploitation Status: Confirmed active exploitation in the wild. This is not a proof-of-concept; it is an active campaign utilizing advanced automation to achieve encryption-based extortion.

Detection & Response

Detecting agentic attacks requires identifying the orchestration layer—the script that acts as the "brain"—and its interaction with the OS. We look for script interpreters making web requests to AI providers and subsequently spawning shells or encryption tools.

SIGMA Rules

YAML
---
title: Potential Agentic AI Script Activity
id: 89b4c123-e5f6-4a2b-9c8d-1e2f3a4b5c6d
status: experimental
description: Detects script interpreters (Python/Node) making connections to known AI API endpoints followed by shell execution, indicative of an agentic loop.
references:
  - https://www.infosecurity-magazine.com/news/researchers-first-agentic/
author: Security Arsenal
date: 2026/04/16
tags:
  - attack.execution
  - attack.t1059.001
  - attack.command_and_control
  - attack.t1071.001
logsource:
  category: network_connection
  product: windows
detection:
  selection_img:
    Image|endswith:
      - '\python.exe'
      - '\node.exe'
      - '\python3.exe'
  selection_dst:
    DestinationHostname|contains:
      - 'api.openai.com'
      - 'openai.azure.com'
      - 'api.anthropic.com'
      - 'generativelanguage.googleapis.com'
  condition: selection_img and selection_dst
falsepositives:
  - Legitimate development or internal tools using AI APIs
level: medium
---
title: Script Interpreter Spawning Encryption Shell
id: a1b2c3d4-e5f6-4789-a012-345678901234
status: experimental
description: Detects a script interpreter spawning a PowerShell or CMD process with arguments indicative of file encryption or mass deletion, common in JadePuffer style attacks.
references:
  - https://www.infosecurity-magazine.com/news/researchers-first-agentic/
author: Security Arsenal
date: 2026/04/16
tags:
  - attack.impact
  - attack.t1486
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|endswith:
      - '\python.exe'
      - '\node.exe'
      - '\pwsh.exe'
  selection_child:
    Image|endswith:
      - '\powershell.exe'
      - '\cmd.exe'
  selection_cmd:
    CommandLine|contains:
      - '-encrypt'
      - 'System.Security.Cryptography'
      - 'Compress-Archive'
      - '/c delete'
  condition: selection_parent and selection_child and selection_cmd
falsepositives:
  - Legitimate administrative scripts run by developers
level: high

KQL (Microsoft Sentinel)

This query hunts for the "Thinking" phase (API calls) correlating with the "Acting" phase (Process execution).

KQL — Microsoft Sentinel / Defender
let AI_Providers = dynamic(['api.openai.com', 'openai.azure.com', 'api.anthropic.com', 'generativelanguage.googleapis.com']);
let ScriptProcesses = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ('python.exe', 'node.exe', 'python3.exe')
| summarize StartTime = min(Timestamp), EndTime = max(Timestamp), ProcessCount = count() by DeviceId, ProcessId, AccountName, InitiatingProcessFileName;
let NetworkActivity = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteUrl has_any (AI_Providers)
| summarize API_Call_Count = count() by DeviceId, InitiatingProcessId;
let SuspiciousAgents = ScriptProcesses
| join kind=inner (NetworkActivity) on DeviceId, $left.ProcessId == $right.InitiatingProcessId
| project DeviceId, AccountName, InitiatingProcessFileName, ProcessId, StartTime;
SuspiciousAgents
| join kind=inner (DeviceProcessEvents) on $left.ProcessId == $right.InitiatingProcessId
| where Timestamp between(StartTime .. StartTime + 5m)
| project Timestamp, DeviceId, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine, RemoteUrl
| order by Timestamp desc

Velociraptor VQL

Hunt for script interpreters that have established network connections (potential C2/LLM comms) and are currently active.

VQL — Velociraptor
-- Hunt for active script interpreters with network connections
SELECT Pid, Name, CommandLine, Exe, Username, StartTime
FROM pslist()
WHERE Name =~ 'python.exe' OR Name =~ 'node.exe'
AND Pid IN (
    SELECT Pid
    FROM netstat()
    WHERE RemoteAddress NOT IN ('127.0.0.1', '::1', '0.0.0.0')
    AND State =~ 'ESTABLISHED'
)

Remediation Script (PowerShell)

Use this script to audit and block unauthorized AI API connectivity on endpoints, effectively breaking the "brain" of the agentic malware.

PowerShell
# JadePuffer Response: Audit and Block AI API Endpoints
# Requires Administrator privileges

Write-Host "[+] Auditing connectivity to common AI API endpoints..."

$BlockedDomains = @(
    "api.openai.com",
    "openai.azure.com",
    "api.anthropic.com",
    "generativelanguage.googleapis.com"
)

$HostsPath = "$env:SystemRoot\System32\drivers\etc\hosts"
$RedirectIP = "127.0.0.1"

foreach ($Domain in $BlockedDomains) {
    $CheckHosts = Select-String -Path $HostsPath -Pattern $Domain -Quiet
    
    if (-not $CheckHosts) {
        Write-Host "[!] Domain $Domain is NOT currently blocked in hosts file." -ForegroundColor Yellow
        # Uncomment the line below to automatically block (Use with caution in production)
        # Add-Content -Path $HostsPath -Value "$RedirectIP $Domain # Blocked by Security Arsenal JadePuffer Response"
    } else {
        Write-Host "[+] Domain $Domain is already blocked." -ForegroundColor Green
    }
}

# Check for running Python/Node processes making network connections
Write-Host "[+] Checking for suspicious script interpreter processes..."
$SuspiciousProcs = Get-WmiObject Win32_Process | Where-Object { 
    ($_.Name -eq 'python.exe' -or $_.Name -eq 'node.exe') -and 
    $_.CommandLine -like '*https*' 
}

if ($SuspiciousProcs) {
    Write-Host "[!] WARNING: Found script interpreters with potential network arguments:" -ForegroundColor Red
    $SuspiciousProcs | Format-List Name, ProcessId, CommandLine
} else {
    Write-Host "[+] No immediate suspicious script processes detected." -ForegroundColor Green
}

Remediation

  1. Egress Filtering: Immediately implement firewall rules to block outbound internet access to known AI API providers (OpenAI, Anthropic, Google Generative AI) from endpoints and servers that do not have a validated business requirement for such access. Agentic malware relies on these APIs for decision-making; blocking them neutrons the agent.

  2. Policy Enforcement: Update Acceptable Use Policies (AUP) to explicitly prohibit the connection of unsanctioned AI agents or the use of consumer-grade AI keys on corporate infrastructure.

  3. Runtime Controls: Deploy Application Control (AppControl/WDAC) policies to block the execution of script interpreters (Python, Node.js) from user-writable directories (e.g., Downloads, AppData). Legitimate development should occur in restricted environments.

  4. Immutable Backups: Verify that offline or immutable backups are current. Since JadePuffer is encryption-based, reliable recovery is your ultimate fallback.

  5. Incident Response Plan: Update your IR playbooks to include "Agentic AI" scenarios. This includes isolating hosts not just based on malware signatures, but based on anomalous process trees involving script interpreters and web requests.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwarebreach-responseforensicsdfirjadepufferagentic-aithreat-huntingautonomous-attack

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.