Security researchers say the JadePuffer ransomware operation marks the first documented case of an autonomous AI agent carrying out an entire ransomware attack without direct human involvement. According to cloud security firm Sysdig, the AI-powered operation handled every major stage of the intrusion, from initial access to data encryption.
AI Agent Carried Out the Entire Attack
Sysdig says the attackers relied on a large language model (LLM) agent to automate the ransomware campaign.
The AI agent performed reconnaissance, stole credentials, moved laterally through the network, established persistence, escalated privileges, and deployed the ransomware payload.
Researchers also observed the agent adapting to unexpected obstacles instead of simply repeating failed commands.
In one example, the AI corrected a failed login attempt and successfully retried the attack within just 31 seconds.
JadePuffer Exploited Langflow Vulnerability
The attack began by exploiting CVE-2025-3248, an unauthenticated remote code execution vulnerability in Langflow, an open-source framework for building LLM applications.
Langflow released a patch for the flaw on April 1, 2025.
A month later, the US Cybersecurity and Infrastructure Security Agency (CISA) confirmed that attackers were actively exploiting the vulnerability against internet-facing systems.
Once inside the server, the AI agent dumped Langflow’s PostgreSQL database and collected information about the compromised host.
It also searched for environment variables, sensitive files, stored credentials, and MinIO object storage.
AI Adapted Its Techniques During the Intrusion
Sysdig found several examples showing the AI agent changing its behavior when attacks failed.
During one stage, the agent attempted to enumerate a MinIO object store. When the server returned XML instead of the expected JSON response, the AI modified its parsing logic and continued the attack without human intervention.
The researchers say this type of real-time adjustment closely resembles the behavior of an experienced human operator.
Attackers Established Persistence and Moved Laterally
The AI agent created a cron job on the compromised Langflow server to maintain long-term access.
The scheduled task contacted the attacker’s infrastructure every 30 minutes.
From there, the attackers pivoted to a production MySQL server running Alibaba Nacos, a naming and configuration service.
Sysdig could not determine how the attackers obtained the root credentials used to access the server.
The AI agent also attempted several attacks against Nacos, including one targeting CVE-2021-29441, an authentication bypass vulnerability that allows attackers to create rogue administrator accounts.
JadePuffer Encrypted More Than 1,300 Configuration Items
After compromising the production server, the AI agent deployed the ransomware payload.
According to Sysdig, JadePuffer encrypted 1,342 Nacos configuration items using MySQL’s built-in AES_ENCRYPT() function.
The malware then deleted the original configuration and history tables before creating a new README_RANSOM table containing the ransom demand, a Bitcoin payment address, and a Proton Mail contact.
Although the ransom note claimed to use AES-256 encryption, researchers believe the malware more likely relied on the weaker AES-128-ECB algorithm.
Sysdig also noted that the encryption key appeared to be randomly generated but was never stored or transmitted to the attackers.
Researchers Find More Evidence of AI Automation
Several other indicators suggest an AI agent controlled the operation.
The generated code contained detailed natural-language comments explaining why specific actions were taken. The attack also progressed rapidly, with the AI adjusting its methods based on system responses instead of blindly repeating failed commands.
Researchers also noticed that the ransom note included a well-known example Bitcoin address commonly found in public documentation. They believe the LLM likely reproduced it from its training data rather than generating a real payment address.
AI-Powered Ransomware Marks a New Milestone
Sysdig says the JadePuffer case demonstrates that fully autonomous “agentic threat actors” have become a reality.
The researchers warn that AI agents could significantly reduce the technical skills needed to launch sophisticated ransomware attacks.
At the same time, they believe AI-generated malware may leave recognizable patterns that security products can use to detect future attacks more effectively.


0 responses to “JadePuffer Ransomware Used AI Agent to Automate Entire Cyberattack, Researchers Say”