Researchers Claim First Fully Agentic Ransomware: JadePuffer
Researchers Claim First Fully Agentic Ransomware: JadePuffer
https://www.infosecurity-magazine.com/news/researchers-first-agentic/
Publish Date: 2026-07-06 04:30:00
Source Domain: www.infosecurity-magazine.com
Cloud security firm Sysdig has released details on what it claims to be the world’s first ransomware campaign completely driven by a large language model (LLM).
Dubbed JadePuffer, the campaign targeted an internet-facing Langflow instance by exploiting CVE-2025-3248. It then ran “an adaptive and fully automated campaign” which resulted in “a destructive database-extortion playbook against the victim’s production database server,” according to Sysdig’s Threat Research Team.
Attack capabilities were delivered by an agent rather than a human-driven toolkit, the Sysdig research claimed, and the AI was capable of working autonomously retrying failed steps within refined parameters.
“In one sequence, it went from a failed login to a working fix in 31 second,” Sysdig said.
Read more on AI: Researchers Discover First Reported AI-Powered Ransomware.
The multi-stage attack began with several elements:
- Langflow access via vulnerability exploitation
- Reconnaissance and credential harvesting (LLM APIs, cloud credentials, database credentials etc)
- Local data theft including Langflow’s own backing Postgres database
- Lateral discovery for services reachable from the Langflow host
- MinIO object-store enumeration and credential harvest
- Creation of cron job on the Langlow server for persistence
- Access to a production MySQL server running Alibaba Nacos (Naming and Configuration Service), using root credentials
- Targeting of Nacos with various payloads including exploitation of CVE-2021-29441
Mass data destruction appears to have been the aim. The JadePuffer attackers encrypted all 1342 Nacos service configuration items and deleted the originals.
“Critically, the AES key was generated as base64(uuid4().bytes + uuid4().bytes), which is essentially random, and printed to stdout but never persisted or transmitted. The victim cannot recover the encrypted configurations even with payment,” Sysdig explained.
“Captured payloads show the LLM…