JadePuffer ransomware used AI agent to automate entire attack
Bill Toulas
- July 4, 2026
- 10:16 AM
- 0

Researchers identified what they believe is the first documented case of a ransomware operation, JadePuffer, conducted entirely by a large language model (LLM) agent.
According to cloud security company Sysdig, JadePuffer used an autonomous AI agent for reconnaissance on the target, to steal credentials, move laterally, establish persistence, escalate privileges, and to encrypt data.
The researchers say that the AI agent adapted to failures during the intrusion, much like a human operator would handle obstacles.
“The operation also adapted in real time, retrying failed steps within refined parameters. In one sequence, it went from a failed login to a working fix in 31 seconds,” --- Sysdig says
From initial access to encryption
JadePuffer gained initial access to the target by exploiting CVE-2025-3248, an unauthenticated remote code execution vulnerability in Langflow, a popular open-source framework used for building LLM apps.
The vendor fixed the flaw on April 1, 2025, and in early May of the same year, CISA tagged it as exploited in attacks targeting internet-exposed endpoints, usually deployed with minimal hardening but containing cloud credentials and API keys.
After obtaining code execution through CVE-2025-3248, the AI agent dumped Langflow's PostgreSQL database, collected host information, searched for environment variables and sensitive files, retrieved credentials, and enumerated a MinIO object store.
- Sysdig highlights the adaptive approach to MinIO enumeration, where if one API request returned XML instead of JSON, the next payload adjusted its parsing logic accordingly.
- JadePuffer also established persistence on the Langflow host by installing a cron job on the server, which was configured to beacon to the attacker’s infrastructure every 30 minutes.
- From the Langflow instance, the attacker pivoted to a production MySQL server running Alibaba Nacos (Naming and Configuration Service), using root credentials whose origin Sysdig couldn’t determine.
- Nacos was targeted with multiple payloads, including one exploiting CVE-2021-29441, an authentication bypass vulnerability that creates rogue administrator accounts.
The agent probed for container escape methods and deployed the ransomware payload. According to the researchers, JadePuffer encrypted 1,342 Nacos service configuration items before deleting the originals.
“The captured payloads show the agent encrypting all 1,342 Nacos service configuration items using MySQL's AES_ENCRYPT(), dropping the original config_info and history tables, and creating an extortion table (README_RANSOM) containing the demand, a Bitcoin payment address, and a Proton Mail contact,” describes Sysdig.

Source: Sysdig
The ransom note claims that the data was encrypted using the AES-256 algorithm, although the researchers believe this to be an overstatement, and that the use of the weaker AES-128-ECB is more likely.
Sysdig mentions that the encryption key is randomly generated but not stored or transmitted to the attacker.
The Bitcoin address listed in the ransom note is an example address widely used in public documentation, possibly the result of the LLM reproducing it from the training data.
- Other signs that AI was controlling the attack include detailed natural-language comments in the generated code describing operational reasoning and rapid attack iteration that considers the specific errors encountered, rather than being simple retries.

Source: Sysdig
Sysdig concludes that the case of JadePuffer demonstrates that the age of “agentic threat actors” (ATAs) has arrived, lowering the skill required for conducting damaging cyberattacks.
At the same time, given how AI agents operate today, LLM-generated payloads create new detection opportunities for security solutions.
Go there > BLEEPING COMPUTER
-
[Webinar] Device code phishing in 2026: live demos, real kits, and where it's headed next

18 kits, a 37x spike in detections, and every major AiTM vendor adding it to their platform: device code phishing has gone from espionage-grade to criminal commodity. Join Push Security's VP of R&D Luke Jennings for attacker-side demos and a breakdown of the kits and campaigns we're tracking in the wild.
-
Get a year of Surfshark One+ VPN, data removal, and more for only $95
Most privacy tools focus on protecting what you're doing online right now. This Surfshark One+ with Incogni bundle also helps tackle something many people don't think about: the personal information that's already floating around the internet. You can get it now for a one-time $95 payment (reg. $250.20).
- July 04, 2026
- 08:12 AM
0
-
ARToken PhaaS exposes EvilTokens' Microsoft 365 phishing toolkit
A new phishing-as-a-service (PhaaS) platform dubbed "ARToken" appears to operate as an affiliate of the EvilTokens phishing platform, giving researchers a glimpse into an extensive toolkit designed to compromise Microsoft 365.
- July 03, 2026
- 10:12 AM
0
-
Why pay monthly? Get access to ChatGPT, Claude & more for a one-time $70.
Why choose between ChatGPT, Claude, Gemini, Llama, Mistral, and other leading models, when you can access them all from one platform. The 1min.AI Advanced Business Plan Lifetime Subscription is only $69.99 (reg. $540) through July 5 with code JULY30, so you're paying once instead of subscribing to all of them.
- July 03, 2026
- 07:05 AM
0
-
Claude Fable 5 isn’t permanently leaving subscriptions, Anthropic says
Anthropic says Claude Fable 5 won't be accessible via Claude subscriptions after July 7, but it's not a permanent change, and the company expects the model to return outside the usage-based plan soon.
- July 02, 2026
- 09:37 PM
0
-
A one-time $20 gets you lifetime access to 1,000+ StackSkills courses
Learning new skills usually comes with a monthly subscription attached. EDU Unlimited by StackSkills takes a more user-friendly approach. Pay $19.97 once (reg. $600) through July 5, and you'll get lifetime access to a growing library of more than 1,000 online courses.
- July 02, 2026
- 02:06 PM
0

Google loses final appeal to overturn €4.1 billion EU fine
Court of Justice of the European Union (CJEU) has dismissed Google's final appeal against a €4.1 billion ($4.7 billion) antitrust fine over the company's use of Android to promote its Chrome browser and search service.
- July 02, 2026
- 11:18 AM
3
-
ConsentFix and ClickFix: How Microsoft 365 Accounts are Hijacked in 3 Seconds
ConsentFix and ClickFix attacks steal Microsoft 365 tokens in seconds using fake prompts and OAuth flows. Learn how these MFA bypass tactics work and how to defend against them.
- July 02, 2026
- 10:00 AM
0
-
Microsoft fixes bug that removed Copilot buttons in Outlook
Microsoft has fixed a known issue causing the Copilot Chat or Copilot buttons in Classic Outlook to disappear for Windows users with the Copilot Chat (Basic) license.
- July 02, 2026
- 08:15 AM
4
-
Cisco finally confirms attackers exploiting Unified CM flaw
Cisco confirmed that attackers are now exploiting a Unified Communications Manager (Unified CM) vulnerability patched in early June.
- July 02, 2026
- 07:35 AM
0
-
Just 3 more days to kick off summer with a $15 Sam’s Club membership
Summer is the perfect time to get the most out of a warehouse membership—and this deal makes getting started especially easy. Through July 5, new members can get a 1-Year Sam's Club Membership with Auto-Renew for just $15 (reg. $60).
- July 02, 2026
- 07:11 AM
0
-
CISA: Microsoft SharePoint RCE flaw now actively exploited
CISA warned on Wednesday that attackers have begun exploiting a high-severity Microsoft SharePoint remote code execution vulnerability patched in May.
- July 02, 2026
- 06:52 AM
0
-
Opera rolls out Paste Protect feature to fight ClickFix attacks
Opera has introduced Paste Protect, a security feature designed to block ClickFix-style attacks that trick users into executing malicious commands through social engineering.
- July 02, 2026
- 06:46 AM
0
-
Alleged Scattered Spider hacker extradited to the United States
A dual United States and Estonian citizen has been extradited to the U.S. to face charges alleging he was a member of the Scattered Spider hacking collective.
- July 02, 2026
- 04:58 AM
1
Medtronic notifies customers impacted by ShinyHunters data breach
Healthcare device firm Medtronic is notifying affected customers about a data breach that exposed their personal data to an unauthorized third party.
- July 02, 2026
- 12:25 AM
0
-
FortiBleed credential-theft campaign linked to Lynx ransomware
The massive FortiBleed credential theft campaign has been linked to the INC and Lynx ransomware operations, suggesting the stolen Fortinet credentials were intended to fuel future network intrusions.
- July 01, 2026
- 05:37 PM
0

Kubota says hackers had month-long access to network systems
Kubota North America Corporation disclosed that hackers had access to some of its network systems for more than a month earlier this year.
- July 01, 2026
- 05:09 PM
0NetNut proxy network disrupted, 2 million infected devices cut off
ByIonut Ilascu
- July 3, 2026
- 01:50 PM
- 1

A joint operation involving Google has disrupted NetNut, a residential proxy network that gave access to millions of compromised Android devices, including smart TVs and streaming boxes.Also known as Popa, the NetNut botnet allowed cybercriminals and espionage groups to hide behind legitimate home internet addresses when launching attacks.
According to the Google Threat Intelligence Group (GTIG), the residential proxy botnet is estimated to comprise at least two million compromised devices.


No comments:
Post a Comment