
Cybersecurity researchers at Sysdig have documented what they assess to be the first ransomware operation driven end-to-end by a large language model, a milestone that lowers the skill floor for running a complete extortion campaign.
Dubbed JadePuffer and classified as an agentic threat actor (ATA), the operation gained initial access through an internet-facing Langflow instance vulnerable to CVE-2025-3248, a missing-authentication flaw in the open-source AI orchestration framework that allows unauthenticated remote code execution. From there, an LLM-driven agent autonomously chained the full intrusion lifecycle: reconnaissance, credential harvesting, lateral movement, persistence, data destruction, and ransom note delivery.
No human at the keyboard. Sysdig’s evidence for AI-driven autonomy centers on four observations. The payloads contained natural-language comments narrating each step, including lines like “High-ROI databases to drop”, artifacts a model generates by default but no human operator would write into a one-liner. When a backdoor admin account insertion failed, the agent diagnosed the error and issued a corrective payload within 31 seconds, far faster than human reaction time. It parsed free-text hints planted in the environment and acted on semantic understanding rather than pattern matching. And it used a Bitcoin address that is a canonical documentation example, either hallucinated by the model or configured by an operator using public reference material.
The attack chain. The agent first enumerated the compromised Langflow host, sweeping environment variables for LLM provider API keys, cloud credentials, and cryptocurrency wallets. It dumped the server’s backing Postgres database, then scanned the internal network for databases, object stores, and configuration services. It found a MinIO instance using default credentials and extracted credentials from stored configuration files.
From there, the agent pivoted to a separate production MySQL and Nacos configuration server, the real target. It exploited Nacos’s default signing key to forge JWT tokens and injected a backdoor admin account. When the first backdoor attempt failed, the corrective script arrived 31 seconds later. It then encrypted all 1,342 Nacos configuration items using MySQL’s AES_ENCRYPT function and deleted database tables, leaving ransom notes.
Unrecoverable. Sysdig noted the encryption key was generated randomly, printed once, and never stored or transmitted, meaning there is no key the attacker could hand over even if a ransom were paid.
The researchers concluded that while none of the individual techniques were novel, the agentic chaining of a complete attack represents a structural shift. “The skill floor for running ransomware has dropped to whatever it costs to run an agent,” Sysdig’s Michael Clark wrote.

