Behind JadePuffer: The First Agentic AI Ransomware

Researchers have documented the first case of a large language model (LLM) executing an entire ransomware operation autonomously from start to finish.
The Sysdig Threat Research Team has identified what it describes as "a complete extortion operation driven end-to-end by a large language model".
The threat actor, which Sysdig has named JadePuffer, demonstrates how AI systems can now perform complex multi-step technical tasks without human intervention.
The autonomous agent gained access to a victim's database server and executed tasks from reconnaissance to server takeover.
When steps failed, the system corrected itself at machine speed.
Self-narrating autonomous behaviour
According to Sysdig, JadePuffer demonstrated reasoning capabilities through natural language processing. The system prioritised its targets and adapted its operation in real time, retrying failed steps using modified parameters.
The researchers documented one instance where the autonomous system moved from a failed login to a working fix in 31 seconds.
The payload included self-narration features that explained its reasoning process, a window into how LLMs can now assess technical situations and adjust their strategies dynamically.
Initial access through AI infrastructure
The entry point was CVE-2025-3248, a missing authentication flaw in Langflow.
Langflow is an open source LLM building framework and this particular flaw allows attackers to execute Python code on the host.
According to Sysdig, Langflow deployments are often internet facing and represent attractive targets for bad actors as servers typically hold API keys and cloud credentials and often lack network controls.
Once the agent gained execution access, it swept the environment, searching for LLM API keys from providers including OpenAI, Anthropic, DeepSeek and Gemini, along with cloud credentials, cryptocurrency wallets, database credentials and configuration files.
The skill floor for running ransomware has dropped to whatever it costs to run an agent and if that agent is running on stolen credentials through LLMjacking, the cost to an attacker is close to zero.
The system collected cloud credentials and API keys before expanding its access.
It extracted data from Langflow's PostgreSQL database, recovering stored credentials, API keys and user information before removing temporary files it had created.
Adaptive credential extraction methods
The agent explored the internal network searching for databases, storage systems and secret management services.
Eventually, it located a MinIO object storage server where it identified and retrieved more credentials from configuration files.
When its first attempt did not work, the system adapted its approach automatically.
To maintain persistence, the agent installed a scheduled task (cron job) on the compromised Langflow server. The task contacted attacker-controlled infrastructure every 30 minutes.
The autonomous system then pivoted to an internet-facing production server running MySQL and Alibaba Nacos.
Using root MySQL credentials, the agent simultaneously exploited multiple known Nacos authentication weaknesses. The origin of this root credential is unknown.
Real-time error correction capabilities
The system inserted a backdoor administrator account into the platform's database. When its first login attempt failed, it analysed the error and modified its approach.
According to Sysdig, the agent successfully regained access without human intervention in 31 seconds. This sequence confirms the LLM's ability to perform technical debugging autonomously.
With administrative access established, the system moved to the final stage by encrypting the victim's Nacos configuration data. It replaced the data with a ransom note containing payment instructions.
Michael Clark, Senior Director of Threat Research at Sysdig, authored the analysis of JadePuffer.
"An autonomous agent reasoned about its targets, harvested and reused credentials, moved laterally, established persistence and destroyed a database, narrating its own intent the entire way," he says.
Implications for autonomous AI systems
None of the individual techniques were novel or sophisticated, according to Michael. What could be notable is that an AI model connected them into a complete operation against internet-facing infrastructure.
"The skill floor for running ransomware has dropped to whatever it costs to run an agent and if that agent is running on stolen credentials through LLMjacking, the cost to an attacker is close to zero," he notes.
This could mean the barrier to entry for autonomous AI operations has decreased substantially.
Michael suggests that the volume and breadth of such campaigns could rise as autonomous tooling matures.
The ability of the system to self-narrate throughout the process could provide insight into how autonomous agents make decisions. This transparency feature might be the clue that can help defenders understand the reasoning patterns and ultimately stop attacks by sophisticated AI systems.


