Researchers recognized what they consider is the primary documented case of a ransomware operation, JadePuffer, carried out solely by a big language mannequin (LLM) agent.
In keeping with cloud safety firm Sysdig, JadePuffer used an autonomous AI agent for reconnaissance on the goal, to steal credentials, transfer laterally, set up persistence, escalate privileges, and to encrypt information.
The researchers say that the AI agent tailored to failures through the intrusion, very like a human operator would deal with obstacles.
“The operation additionally tailored in actual time, retrying failed steps inside refined parameters. In a single sequence, it went from a failed login to a working repair in 31 seconds,” Sysdig says.
From preliminary entry to encryption
JadePuffer gained preliminary entry to the goal by exploiting CVE-2025-3248, an unauthenticated distant code execution vulnerability in Langflow, a preferred open-source framework used for constructing LLM apps.
The seller mounted the flaw on April 1, 2025, and in early Could of the identical yr, CISA tagged it as exploited in assaults concentrating on internet-exposed endpoints, often deployed with minimal hardening however containing cloud credentials and API keys.
After acquiring code execution by CVE-2025-3248, the AI agent dumped Langflow’s PostgreSQL database, collected host info, looked for surroundings variables and delicate information, retrieved credentials, and enumerated a MinIO object retailer.
Sysdig highlights the adaptive strategy to MinIO enumeration, the place if one API request returned XML as an alternative of JSON, the following payload adjusted its parsing logic accordingly.
JadePuffer additionally established persistence on the Langflow host by putting in a cron job on the server, which was configured to beacon to the attacker’s infrastructure each half-hour.
From the Langflow occasion, the attacker pivoted to a manufacturing MySQL server operating Alibaba Nacos (Naming and Configuration Service), utilizing root credentials whose origin Sysdig couldn’t decide.
Nacos was focused with a number of payloads, together with one exploiting CVE-2021-29441, an authentication bypass vulnerability that creates rogue administrator accounts.
The agent probed for container escape strategies and deployed the ransomware payload. In keeping with the researchers, JadePuffer encrypted 1,342 Nacos service configuration objects earlier than deleting the originals.
“The captured payloads present the agent encrypting all 1,342 Nacos service configuration objects utilizing MySQL’s AES_ENCRYPT(), dropping the unique config_info and historical past tables, and creating an extortion desk (README_RANSOM) containing the demand, a Bitcoin cost handle, and a Proton Mail contact,” describes Sysdig.

Supply: Sysdig
The ransom be aware claims that the information was encrypted utilizing the AES-256 algorithm, though the researchers consider this to be an overstatement, and that using the weaker AES-128-ECB is extra seemingly.
Sysdig mentions that the encryption secret’s randomly generated however not saved or transmitted to the attacker.
The Bitcoin handle listed within the ransom be aware is an instance handle extensively utilized in public documentation, probably the results of the LLM reproducing it from the coaching information.
Different indicators that AI was controlling the assault embrace detailed natural-language feedback within the generated code describing operational reasoning and speedy assault iteration that considers the precise errors encountered, moderately than being easy retries.

Supply: Sysdig
Sysdig concludes that the case of JadePuffer demonstrates that the age of “agentic menace actors” (ATAs) has arrived, decreasing the talent required for conducting damaging cyberattacks.
On the similar time, given how AI brokers function at this time, LLM-generated payloads create new detection alternatives for safety options.
Safety groups log 54% of profitable assaults and alert on simply 14%. The remaining transfer by your surroundings unseen.
The Picus whitepaper reveals how breach and assault simulation exams your SIEM and EDR guidelines so threats cease slipping by detection.


