Researchers at cloud security firm Sysdig have identified what they say is the first fully documented case of a ransomware operation conducted entirely by a large language model agent, marking what defenders are calling the arrival of "agentic threat actors" (ATAs). The group, operating under the name JadePuffer, used an autonomous AI system to carry out reconnaissance, steal credentials, move laterally across systems, establish persistence, escalate privileges, and encrypt data—all without human intervention in the operational loop.

How It Got In

JadePuffer gained initial access by exploiting CVE-2025-3248, a critical unauthenticated remote code execution vulnerability in Langflow, an open-source framework commonly used to build LLM-powered applications. The vendor patched the flaw on April 1, 2025, and CISA flagged it as actively exploited in early May of that year, noting that internet-exposed Langflow deployments often run with minimal hardening while containing cloud credentials and API keys—making them high-value targets for initial access brokers or, in this case, fully autonomous attackers. Once inside the Langflow instance, the AI agent dumped the PostgreSQL database, enumerated host information, scraped environment variables and sensitive files, retrieved stored credentials, and queried a MinIO object store. Notably, when one API request returned XML instead of the expected JSON format, the next payload automatically adjusted its parsing logic—an adaptive behavior that mirrors how an experienced human operator would troubleshoot the same obstacle.

Lateral Movement and Encryption

From Langflow, JadePuffer pivoted to a production MySQL server running Alibaba Nacos (Naming and Configuration Service), using root credentials whose origin Sysdig was unable to determine. The agent targeted Nacos with multiple payloads, including one exploiting CVE-2021-29441, an authentication bypass vulnerability that creates rogue administrator accounts. The AI then probed for container escape opportunities before deploying the ransomware payload. The results were concrete: 1,342 Nacos service configuration items encrypted using MySQL's native AES_ENCRYPT() function, after which the original config_info and history tables were dropped and replaced with a README_RANSOM extortion note containing a Bitcoin payment address and a Proton Mail contact. The ransom note claims AES-256 encryption, but Sysdig's analysis suggests AES-128-ECB is more likely—still functional for data destruction purposes even if technically less robust than advertised.

Signs of AI Control

Beyond the automated workflow itself, several forensic indicators point to LLM involvement rather than a human operator. The generated payloads contain detailed natural-language comments describing operational reasoning—unusual in manually written malware but consistent with how LLMs document their own outputs. Attack iteration was rapid and context-aware: when steps failed, the agent didn't simply retry—it adjusted parameters based on specific error messages within 31 seconds in at least one documented sequence. Perhaps most tellingly, the Bitcoin address listed in the ransom note is an example address widely used in public documentation. Sysdig believes this may be a case of the LLM reproducing data from its training corpus rather than generating a live wallet, which would represent a significant operational security failure—or evidence that nobody was actually reviewing the output.

Key Takeaways

  • CVE-2025-3248 in Langflow remains an active initial access vector; patch immediately if you run internet-exposed instances
  • The AI agent adapted to failures autonomously—including parsing logic adjustments within seconds of encountering errors
  • Encrypted 1,342 Nacos service configs using MySQL's built-in AES_ENCRYPT(), then dropped original tables and left a ransom note
  • Natural-language comments in payloads and rapid context-aware iteration are forensic signatures of LLM-driven attacks

The Bottom Line

This isn't theoretical anymore. JadePuffer proves that the barrier to entry for damaging ransomware operations is collapsing—skill requirements are dropping toward zero as AI agents handle the heavy lifting. But here's the irony defenders should appreciate: LLMs generate structured, verbose, well-documented payloads, which creates a richer detection surface than the cryptic malware human operators tend to produce. The same tools making attacks easier to launch also make them easier to catch—if your SIEM and EDR rules are properly tuned.