NOTE: Sysdig concludes that the case of JadePuffer demonstrates that the age of “agentic threat actors” (ATAs) has arrived, lowering the skill required for conducting damaging cyberattacks.
JadePuffer ransomware used AI agent to automate entire attack
Researchers identified what they believe is the first documented case of a ransomware operation, JadePuffer, conducted entirely by a large language model (LLM) agent.
According to cloud security company Sysdig, JadePuffer used an autonomous AI agent for reconnaissance on the target, to steal credentials, move laterally, establish persistence, escalate privileges, and to encrypt data.
The researchers say that the AI agent adapted to failures during the intrusion, much like a human operator would handle obstacles.
“The operation also adapted in real time, retrying failed steps within refined parameters. In one sequence, it went from a failed login to a working fix in 31 seconds,” --- Sysdig says
From initial access to encryption
JadePuffer gained initial access to the target by exploiting CVE-2025-3248, an unauthenticated remote code execution vulnerability in Langflow, a popular open-source framework used for building LLM apps.
The vendor fixed the flaw on April 1, 2025, and in early May of the same year, CISA tagged it as exploited in attacks targeting internet-exposed endpoints, usually deployed with minimal hardening but containing cloud credentials and API keys.
After obtaining code execution through CVE-2025-3248, the AI agent dumped Langflow's PostgreSQL database, collected host information, searched for environment variables and sensitive files, retrieved credentials, and enumerated a MinIO object store.
Sysdig highlights the adaptive approach to MinIO enumeration, where if one API request returned XML instead of JSON, the next payload adjusted its parsing logic accordingly.
JadePuffer also established persistence on the Langflow host by installing a cron job on the server, which was configured to beacon to the attacker’s infrastructure every 30 minutes.
From the Langflow instance, the attacker pivoted to a production MySQL server running Alibaba Nacos (Naming and Configuration Service), using root credentials whose origin Sysdig couldn’t determine.
Nacos was targeted with multiple payloads, including one exploiting CVE-2021-29441, an authentication bypass vulnerability that creates rogue administrator accounts.
The agent probed for container escape methods and deployed the ransomware payload. According to the researchers, JadePuffer encrypted 1,342 Nacos service configuration items before deleting the originals.
“The captured payloads show the agent encrypting all 1,342 Nacos service configuration items using MySQL's AES_ENCRYPT(), dropping the original config_info and history tables, and creating an extortion table (README_RANSOM) containing the demand, a Bitcoin payment address, and a Proton Mail contact,” describes Sysdig.
The encryption function Source: Sysdig
The ransom note claims that the data was encrypted using the AES-256 algorithm, although the researchers believe this to be an overstatement, and that the use of the weaker AES-128-ECB is more likely.
Sysdig mentions that the encryption key is randomly generated but not stored or transmitted to the attacker.
The Bitcoin address listed in the ransom note is an example address widely used in public documentation, possibly the result of the LLM reproducing it from the training data.
Other signs that AI was controlling the attack include detailed natural-language comments in the generated code describing operational reasoning and rapid attack iteration that considers the specific errors encountered, rather than being simple retries.
Rapid iteration steps Source: Sysdig
Sysdig concludes that the case of JadePuffer demonstrates that the age of “agentic threat actors” (ATAs) has arrived, lowering the skill required for conducting damaging cyberattacks.
At the same time, given how AI agents operate today, LLM-generated payloads create new detection opportunities for security solutions.
18 kits, a 37x spike in detections, and every major AiTM vendor adding it to their platform: device code phishing has gone from espionage-grade to criminal commodity. Join Push Security's VP of R&D Luke Jennings for attacker-side demos and a breakdown of the kits and campaigns we're tracking in the wild.
Most privacy tools focus on protecting what you're doing online right now. This Surfshark One+ with Incogni bundle also helps tackle something many people don't think about: the personal information that's already floating around the internet. You can get it now for a one-time $95 payment (reg. $250.20).
A new phishing-as-a-service (PhaaS) platform dubbed "ARToken" appears to operate as an affiliate of the EvilTokens phishing platform, giving researchers a glimpse into an extensive toolkit designed to compromise Microsoft 365.
Why choose between ChatGPT, Claude, Gemini, Llama, Mistral, and other leading models, when you can access them all from one platform. The 1min.AI Advanced Business Plan Lifetime Subscription is only $69.99 (reg. $540) through July 5 with code JULY30, so you're paying once instead of subscribing to all of them.
Anthropic says Claude Fable 5 won't be accessible via Claude subscriptions after July 7, but it's not a permanent change, and the company expects the model to return outside the usage-based plan soon.
Claude Fable, the company's most powerful model, is now available to all users, but early impressions are disappointing, as it appears to be nowhere near the original release.Mayank Parmar
Learning new skills usually comes with a monthly subscription attached. EDU Unlimited by StackSkills takes a more user-friendly approach. Pay $19.97 once (reg. $600) through July 5, and you'll get lifetime access to a growing library of more than 1,000 online courses.
Court of Justice of the European Union (CJEU) has dismissed Google's final appeal against a €4.1 billion ($4.7 billion) antitrust fine over the company's use of Android to promote its Chrome browser and search service.
ConsentFix and ClickFix attacks steal Microsoft 365 tokens in seconds using fake prompts and OAuth flows. Learn how these MFA bypass tactics work and how to defend against them.
Microsoft has fixed a known issue causing the Copilot Chat or Copilot buttons in Classic Outlook to disappear for Windows users with the Copilot Chat (Basic) license.
Summer is the perfect time to get the most out of a warehouse membership—and this deal makes getting started especially easy. Through July 5, new members can get a 1-Year Sam's Club Membership with Auto-Renew for just $15 (reg. $60).
Opera has introduced Paste Protect, a security feature designed to block ClickFix-style attacks that trick users into executing malicious commands through social engineering.
A dual United States and Estonian citizen has been extradited to the U.S. to face charges alleging he was a member of the Scattered Spider hacking collective.
The massive FortiBleed credential theft campaign has been linked to the INC and Lynx ransomware operations, suggesting the stolen Fortinet credentials were intended to fuel future network intrusions.
A joint operation involving Google has disrupted NetNut, a residential proxy network that gave access to millions of compromised Android devices, including smart TVs and streaming boxes.
Also known as Popa, the NetNut botnet allowed cybercriminals and espionage groups to hide behind legitimate home internet addresses when launching attacks.
According to the Google Threat Intelligence Group (GTIG), the residential proxy botnet is estimated to comprise at least two million compromised devices.