Researchers Unveil JadePuffer, the First Fully Agentic Ransomware

▼ Summary
– Sysdig claims it discovered JadePuffer, the first ransomware campaign fully driven by a large language model (LLM), which exploited CVE-2025-3248 in an internet-facing Langflow instance.
– The LLM agent autonomously executed a multi-stage attack including reconnaissance, credential harvesting, persistence, and encryption of 1,342 Nacos configuration items.
– The AES encryption key was ephemeral and unrecoverable, making the destroyed data irretrievable even with a ransom payment.
– The attack relied on old vulnerabilities, such as a 2021 Nacos auth-bypass, and targeted neglected, internet-exposed infrastructure.
– The LLM’s payloads narrated its own objectives, offering a new detection opportunity for defenders, while the speed of such attacks reduces response time for security teams.
Cybersecurity researchers have uncovered what is being described as the first fully autonomous ransomware campaign driven entirely by a large language model (LLM). The operation, named JadePuffer, marks a significant shift in how cyberattacks can be executed, removing the need for human operators to guide each step.
Cloud security firm Sysdig’s Threat Research Team detailed the campaign, which targeted an internet-facing Langflow instance. The attackers exploited CVE-2025-3248 to gain initial access, then unleashed an adaptive, fully automated sequence that culminated in a destructive database extortion playbook against the victim’s production server. Instead of relying on a human-driven toolkit, the attack capabilities were delivered by an AI agent capable of working autonomously. Sysdig noted that the AI could retry failed steps using refined parameters, with one sequence moving from a failed login to a working fix in just 31 seconds.
The multi-stage attack was methodical. It began with vulnerability exploitation, followed by reconnaissance and credential harvesting targeting LLM APIs, cloud credentials, and database credentials. The attackers stole local data, including Langflow’s own backing Postgres database, and performed lateral discovery to find other reachable services. They enumerated a MinIO object store to harvest more credentials and established persistence by creating a cron job on the Langflow server. Ultimately, they accessed a production MySQL server running Alibaba Nacos using root credentials and exploited CVE-2021-29441 to target the service.
The primary goal appears to have been mass data destruction. The JadePuffer attackers encrypted all 1,342 Nacos service configuration items and deleted the originals. Critically, the AES encryption key was generated as a random string and printed to stdout without ever being persisted or transmitted. Sysdig explained that this makes the encrypted configurations unrecoverable, even if a ransom is paid. The captured payloads show the LLM escalating from row-level deletion to dropping entire database schemas, narrating its own targeting rationale. The IP address associated with the attack, 64.20.53[.]230, only appears in this context with no evidence of data backup.
Sysdig’s analysis highlights four key takeaways from the JadePuffer discovery. First, ransomware can now be executed by LLM agents rather than skilled threat actors. Reconnaissance, credential theft, lateral movement, persistence, and destruction are all achievable without operator expertise. Second, the attack automated old vulnerabilities, relying on a 2021 Nacos auth-bypass and an unchanged default signing key on neglected, internet-exposed infrastructure. Third, there are new opportunities for detection, as an LLM narrates its own objectives in its payloads, providing a novel triage opportunity for network defenders. Fourth, the exfiltration claim is the agent’s own assertion, but the ephemeral AES key means the victim’s data is truly unrecoverable.
Heath Renfrow, co-founder and CISO at breach recovery firm Fenix24, warned that the age of agentic threat actors (ATAs) will compress the time security teams have to respond. If an AI agent can compress what previously took an experienced operator several hours into minutes, defenders lose valuable time across every phase of an incident, from detection to recovery. He advised organizations to resist focusing solely on whether an attacker is AI-powered, as the outcome remains the same: compromised identities, stolen credentials, encrypted or destroyed data, and business disruption. Security teams should continue prioritizing fundamentals like rapid patching of internet-facing systems, strong identity protections, least privilege, network segmentation, continuous monitoring, and restricting unnecessary external exposure.
(Source: Infosecurity Magazine)