Researchers Claim First Fully Agentic Ransomware: JadePuffer

Written by

Cloud security firm Sysdig has released details on what it claims to be the world’s first ransomware campaign completely driven by a large language model (LLM).

Dubbed JadePuffer, the campaign targeted an internet-facing Langflow instance by exploiting CVE-2025-3248. It then ran “an adaptive and fully automated campaign” which resulted in “a destructive database-extortion playbook against the victim's production database server,” according to Sysdig's Threat Research Team.

Attack capabilities were delivered by an agent rather than a human-driven toolkit, the Sysdig research claimed, and the AI was capable of working autonomously retrying failed steps within refined parameters.

“In one sequence, it went from a failed login to a working fix in 31 second,” Sysdig said.

Read more on AI: Researchers Discover First Reported AI-Powered Ransomware.

The multi-stage attack began with several elements:

  • Langflow access via vulnerability exploitation
  • Reconnaissance and credential harvesting (LLM APIs, cloud credentials, database credentials etc)
  • Local data theft including Langflow's own backing Postgres database
  • Lateral discovery for services reachable from the Langflow host
  • MinIO object-store enumeration and credential harvest
  • Creation of cron job on the Langlow server for persistence
  • Access to a production MySQL server running Alibaba Nacos (Naming and Configuration Service), using root credentials
  • Targeting of Nacos with various payloads including exploitation of CVE-2021-29441

Mass data destruction appears to have been the aim. The JadePuffer attackers encrypted all 1342 Nacos service configuration items and deleted the originals.

“Critically, the AES key was generated as base64(uuid4().bytes + uuid4().bytes), which is essentially random, and printed to stdout but never persisted or transmitted. The victim cannot recover the encrypted configurations even with payment,” Sysdig explained.

“Captured payloads show the LLM escalating from row-level deletion to dropping entire database schemas, narrating its own targeting rationale. The IP address, 64.20.53[.]230, only appears here with no evidence that anything was backed up to it.”

Four Key Takeaways

Sysdig claimed its JadePuffer discovery highlights four things:

  • Ransomware can be carried out by LLM agents rather than skilled threat actors. Reconnaissance, credential theft, lateral movement, persistence, and destruction are achievable without any operator expertise
  • Old vulnerabilities are being automated: The targeted attack leaned on years-old issues, a 2021 Nacos auth-bypass and an unchanged default signing key, on neglected, internet-exposed infrastructure
  • There are new opportunities for detection: An LLM narrates its own objectives in its payloads, providing a new detection and triage opportunity that could help network defenders
  • The exfiltration claim is the agent's own assertion: The AES key was ephemeral and unrecoverable, so the victim's configurations are unrecoverable even with payment

The age of agentic threat actors (ATAs) will erode the time security teams have to respond, argued Heath Renfrow, co-founder and CISO at breach recovery firm Fenix24.

“If an AI agent can compress what previously took an experienced operator several hours into a matter of minutes, defenders lose valuable time. That has implications across every phase of an incident, from detection and containment to recovery,” he said. 

“Organizations should resist focusing solely on whether an attacker is ‘AI-powered.’ The outcome is ultimately the same: compromised identities, stolen credentials, encrypted or destroyed data, and business disruption. Security teams should continue prioritizing the fundamental-rapid patching of internet-facing systems, strong identity protections, least privilege, network segmentation, continuous monitoring, and restricting unnecessary external exposure.”
 

What’s Hot on Infosecurity Magazine?