Security researchers at Sysdig have documented what they believe is the first documented case of an AI agent running a ransomware operation from end to end.
Dubbed JADEPUFFER, the operation used a large language model (LLM) to automate an attack that began with the exploitation of an internet-facing Langflow instance and ended in destructive database extortion.
Sysdig’s research describes an AI-driven campaign that adapted to failures, harvested credentials, searched for sensitive data, moved toward its intended target, and attacked a production database server.
The attackers initially exploited CVE-2025-3248, a missing-authentication vulnerability in Langflow’s code validation endpoint that allows unauthenticated remote code execution. Once inside, JADEPUFFER enumerated the compromised host and searched for LLM provider API keys, cloud credentials, cryptocurrency wallets, seed phrases, database credentials, and configuration files.
The operation then dumped Langflow’s PostgreSQL database, scanned internal systems, and targeted a separate production database server. According to Sysdig, the agent connected to an exposed MySQL port using root credentials before carrying out its database-extortion playbook.
Researchers said the LLM’s behaviour provided some of the clearest evidence of automation. Its payloads included natural-language reasoning and target prioritisation, while the agent also adjusted its approach when steps failed. In one case, it moved from a failed login attempt to a working fix in 31 seconds.
Sysdig stressed that the individual attack techniques were neither new nor especially sophisticated. The significance lies in the AI agent’s ability to combine them into a complete operation with little apparent need for human intervention.
The findings suggest that agentic AI could lower the technical barrier to running ransomware campaigns and allow attackers to operate at greater speed and scale. Sysdig expects these campaigns to grow as agentic tools mature, particularly against exposed application servers, poorly secured configuration stores, and internet-facing database administration accounts.
What changes is the economics of who gets attacked
Jim Sherlock, VP of AI and Cybersecurity R&D at ProCircular, says: “The headline is that an AI ran a ransomware attack, but the techniques here were all several years old and well understood. What actually changes is the economics of who gets attacked.”
He adds that when an AI agent can find an exposed asset, chain three old vulnerabilities, and weaponize it for pennies, the forgotten internet-facing systems that were never worth a human operator’s time suddenly are.
“For enterprises and SMBs, that shrinks the grace period between ‘we have an exposure’ and ‘someone is exploiting it’ to almost nothing, which makes continuous visibility of your own attack surface the difference between a non-event and a breach.”
Frankly, it’s only the beginning
Josh Marpet, Senior Product Security Consultant at Finite State, says: “This is so totally expected. And frankly, it’s only the beginning. Wait till we see ransomware collecting bitcoin after the original attackers have already been arrested. What happens to ransomware when no one controls it? Will we have AI agents hunting it down?”
Marpet says the arms race is just beginning here. “It will get worse, and eventually, better. But it will take time to do so.”
Automating the full cyber kill chain
Jacob Krell, Senior Director: Secure AI Solutions & Cybersecurity at Suzu Labs, says: “JadePuffer automated the full cyber kill chain, from initial exploitation through lateral movement to ransomware deployment, without a human operator at any stage. Previous AI-assisted attacks handled individual phases. JadePuffer chained all of them using standard Python libraries, publicly known CVEs (a 2025 Langflow RCE for entry, a 2021 Nacos auth bypass for lateral movement), and default credentials that ship unchanged in production deployments.
“The agent adapted to failures across the operation in real time. It diagnosed a failed admin login in 31 seconds, identifying a broken bcrypt subprocess path, rewriting the hash generation inline, and rebuilding the account without any human input. Other failures got the same treatment: a foreign key constraint silently blocking DROP DATABASE was answered with disabled checks on the next payload, and an unexpected XML response from MinIO triggered an immediate parser switch,” he explains.
“Reconnaissance is already done before the agent fires its first payload,” Krell continues. “Search engines like Shodan continuously scan and index every device and service with an open port on the public internet. Any attacker can query for exposed Langflow instances, Nacos servers, or databases with management ports facing the internet and get a target list in seconds. Pair that with an autonomous agent running on stolen API credentials, and every entry gets hit for close to nothing.”
He says RaaS commoditized the deployment side of ransomware years ago, but still required an operator who understood the target environment. “Agentic automation removes that last requirement. Expect full attack-chain kits on dark markets within a year, packaged for buyers with zero technical ability. The skill floor for ransomware just dropped to the cost of prompting a model.”
A foundational shift in adversarial capabilities
Noelle Murata, Chief Operating Officer at Xcape, comments: “The emergence of the JadePuffer agent marks a foundational shift in adversarial capabilities, moving cyber threats from scripted automation to autonomous, machine-speed execution. By leveraging a large language model to independently navigate the entire cyber kill chain, diagnose its own execution errors, and rewrite payloads in seconds, this operation renders conventional, human-dependent incident response models completely obsolete.”
She says while the agent relied entirely on unpatched legacy vulnerabilities and public tools to gain initial access, its ability to execute an end-to-end campaign without human intervention severely compresses the detection and containment window for defenders.
“The strategic takeaway for executive leadership is that basic security hygiene remains an effective barrier, but true systemic resilience now requires a shift from manual triage to real-time, behavior-based defense. CISOs must leverage this milestone to secure board-level mandates for automated, continuous-monitoring systems capable of isolating lateral movement instantly, shifting corporate defense from reactive patching to proactive architectural containment,” Murata ends.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.


