Researchers have recognized what’s believed to be the primary documented case of a ransomware operation carried out totally by a Massive-Scale Language Mannequin (LLM) agent.
In line with cloud safety agency Sysdig, JadePuffer used autonomous AI brokers to scout targets, steal credentials, transfer laterally, set up persistence, escalate privileges, and encrypt knowledge.
Researchers say the AI agent tailored to obstacles throughout entry, very like a human operator would.
“Operations additionally tailored in real-time, retrying failed steps inside refined parameters. In a single sequence, we went from failed login to profitable repair in 31 seconds,” Sysdig says.
From preliminary entry to encryption
JadePuffer gained preliminary entry to its targets by exploiting CVE-2025-3248, an unauthenticated distant code execution vulnerability in Langflow, a well-liked open supply framework used to construct LLM apps.
The seller fastened the flaw on April 1, 2025, and in early Might of the identical yr, CISA tagged it as being exploited in assaults concentrating on internet-exposed endpoints. Endpoints are sometimes deployed with minimal hardening, however embrace cloud credentials and an API key.
After gaining code execution by means of CVE-2025-3248, the AI agent dumped Langflow’s PostgreSQL database, collected host info, looked for setting variables and delicate recordsdata, retrieved credentials, and enumerated the MinIO object retailer.
Sysdig emphasizes an adaptive method to MinIO enumeration. Which means that if one API request returns XML as an alternative of JSON, the subsequent payload will alter its parsing logic accordingly.
JadePuffer additionally established persistence on the Langflow host by putting in a cron job on the server. This job was configured to ship a beacon to the attacker’s infrastructure each half-hour.
From the Langflow occasion, the attackers pivoted to a manufacturing MySQL server working Alibaba Nacos (Naming and Configuration Service) utilizing root credentials that the originating Sysdig couldn’t decide.
Nacos was focused by a number of payloads, together with one which exploits CVE-2021-29441, an authentication bypass vulnerability that creates fraudulent administrator accounts.
The agent investigated how the container escaped and deployed the ransomware payload. In line with researchers, JadePuffer encrypted 1,342 Nacos service configuration objects earlier than deleting the originals.
“The captured payload exhibits the agent encrypting all 1,342 Nacos service configuration objects utilizing MySQL’s AES_ENCRYPT(), eradicating the unique config_info and historical past tables, and creating an extortion desk (README_RANSOM) containing requests, Bitcoin cost addresses, and Proton Mail contacts,” Sysdig explains.

Supply: Sysdig
Though the ransom be aware claims that the information was encrypted utilizing the AES-256 algorithm, researchers consider that is an exaggeration and that the weaker AES-128-ECB was possible used.
Sysdig says the encryption keys are randomly generated however are by no means saved or despatched to attackers.
The Bitcoin tackle listed within the ransom be aware is an instance of an tackle extensively utilized in public paperwork and could also be the results of LLM reproducing it from coaching knowledge.
Different indicators that the AI was in charge of the assault embrace detailed pure language feedback within the generated code explaining operational reasoning and fast assault iterations that account for particular errors that happen, somewhat than easy retries.

Supply: Sysdig
Sysdig concludes that the JadePuffer incident exhibits that the age of “Agent Menace Actors” (ATAs) has arrived and the talents wanted to hold out dangerous cyberattacks are lowering.
On the similar time, given the way in which at the moment’s AI brokers function, LLM-generated payloads create new detection alternatives for safety options.
Safety groups doc 54% of profitable assaults and situation a warning on solely 14%. The remaining strikes invisibly by means of the setting.
Picus’ whitepaper exhibits the way to check your SIEM and EDR guidelines in breach and assault simulations to make sure threats go undetected.
Get the white paper
