Researchers have discovered the first ransomware intrusion conducted almost entirely by an autonomous large language model (LLM) agent, further demonstrating how generative AI and cybercrime are convergent.
Sysdig researchers were able to detect the campaign by analyzing an attack linked to the JadePuffer threat actor that exploited a critical vulnerability in Langflow to gain initial access. Following reconnaissance, credential harvesting, privilege escalation, lateral movement, persistence, and encryption of data, an AI agent was able to conduct these activities independently.
Instead of operating as a scripted automation tool, the agent demonstrated an ability to assess its environment, recover from failed actions, and dynamically adjust its approach throughout the intrusion, which highlights a significant shift toward AI-assisted offensive operations with minimal direct human intervention.
During the intrusion, CVE-2025-3248 was exploited, which was a critical unauthenticated remote code execution vulnerability in Langflow that enabled arbitrary Python code execution when the deployment was exposed to the internet.
Although patched in April and later added to CISA's Known Exploited Vulnerabilities catalog following active exploitation, internet-exposed Langflow instances remained attractive targets because they commonly stored cloud credentials, API tokens, and application secrets.
The AI-driven operation then systematically extracted Langflow's PostgreSQL database and profiled the compromised host before expanding its reconnaissance to connected MinIO object storage, enumerating environment variables and sensitive configuration files, and harvesting available credentials.
When an API returned XML instead of the expected JSON, the agent automatically adjusted its parsing logic and continued enumeration without manual intervention.
The operation also established persistence through a cron job configured to contact attacker-controlled infrastructure every 30 minutes.
Once persistence and reconnaissance were established, the AI agent moved to the destructive phase of the attack by dynamically refining its execution in response to its environment of target.
A Sysdig analysis found that the ransomware model modified payloads to satisfy authentication checks, verified that User Defined Functions (UDFs) were present, and signaled that work had been completed before initiating ransomware activity.
By using MySQL's AES_ENCRYPT() function, all 1,342 Nacos service configuration records were encrypted, the original configuration_info and history tables were removed, and a README_RANSOM table was created containing the extortion message, Bitcoin payment address, and Proton Mail contact information for negotiations.
Although the ransom note claimed AES-256 encryption, Sysdig assessed the implementation more closely resembled AES-128 in ECB mode.
In addition, the encryption key was generated locally, but was neither retained nor transmitted to attackers' infrastructure.
The researchers also noted the Bitcoin wallet embedded in the ransom instructions matched a public documentation address, suggesting that the LLM reproduced this address from its training data rather than generating an operational payment destination for the ransom. Each captured payload included an explanation in natural language explaining how the actions were carried out, demonstrating the agent's ability to interpret system feedback, diagnose errors, and revise its logic, rather than relying on repetitive scripted retries, throughout the intrusion.
Aside from rapid troubleshooting execution failures, Sysdig also documented the agent's ability to interpret error responses and alter its approach in real time. The model was observed to correct an unsuccessful authentication attempt within 31 seconds by identifying the root cause of the failure rather than repeating the same steps over and over again.
There were over 600 distinct payloads recorded throughout the intrusion, which each reflected deliberate progression through sequential attack stages rather than static automation.
A Bitcoin wallet incorporated into the ransom note was an unresolved anomaly, which precisely matched an address published in Bitcoin developer documentation, an address which is well known for its use.
Investigators were unable to determine whether the address was reproduced from the training data or if it was deliberately selected by the operator since both references are readily available in technical resources.
It is also indicative of a larger evolution in cyber operations assisted by artificial intelligence during the past year. Earlier claims of AI-powered ransomware, including PromptLock, were ultimately linked to controlled research rather than active criminal operations.
The use of generative artificial intelligence in operational situations has become increasingly evident in recent incidents. Anthropic previously disclosed the use of its Claude Code assistant in extortion against at least 17 organizations under human supervision in an extortion campaign, followed by a largely autonomous state-linked espionage operation using artificial intelligence to develop exploits and facilitate data theft.
Operator involvement was limited.
Similar fabricated credentials were also observed in the JadePuffer campaign, reinforcing the possibility that the unusual Bitcoin addresses observed may have been the result of model hallucinations rather than deliberate malicious intent. Collectively, these incidents demonstrate the ways in which artificial intelligence is automating discrete phases of sophisticated intrusion, reducing the expertise and effort normally required to conduct large-scale offensive operations.
From a defensive perspective, Sysdig recommends maintaining established security practices. Langflow deployments should be fully patched against CVE-2025-3248 and code execution interfaces should not be exposed directly to the internet. Secrets should be stored in dedicated secrets managers rather than accessible runtime environments.
Additionally, the company recommends replacing default signing keys, restricting public exposure, preventing database connections from root accounts, as well as enforcing outbound network controls so that compromised hosts are not able to communicate with command and control systems.
According to Sysdig, autonomous agents are able to detect and exploit new vulnerabilities within hours of their disclosure, which makes runtime detection and behavioral monitoring equally critical as timely patch management.
It was reported by the researchers that indicators of compromise associated with the campaign were released in support of incident response efforts, including the use of CVE-2025-3248 as the initial entry vector, command-and-control infrastructure located at 45.131.66[.]106 with an ongoing beacon program, and a staging server located at 64.20.53[.]230.
There are three ransom artifacts associated with the ransom attack, namely the table README_RANSOM, the wallet 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy, and the email address e78393397[@]proton[.]me.
JadePuffer is not regarded by Sysdig as introducing fundamentally new attack techniques, but the researchers consider it to be an important indicator of where offensive capabilities are heading. Creating an environment where autonomous AI agents can individually combine familiar exploitation methods into complete intrusion chains, making every exposed application server, configuration repository, and administrative interface available to the internet a far more attractive target than before.
The evolution of ransomware has reached an important turning point with the launch of JadePuffer, as autonomous artificial intelligence agents are now capable of executing complex attacks without human assistance.
AI infrastructure should be secured, credentials exposed to the internet must be rigorously managed, and runtime detection capabilities should be strengthened to identify adaptive behavior before it progresses into a full-scale compromise. With artificial intelligence-assisted attacks on the rise, proactive resilience is as important as rapid patching.