Ransomware Operation Conducted Entirely by AI Agent Raises Concerns Over Automated Attacks
A recent ransomware operation, identified as JadePuffer, has been found to have been conducted entirely by a large language model (LLM) agent. According to cloud security company Sysdig, the AI agent was used for reconnaissance on the target, stealing credentials, moving laterally, establishing persistence, escalating privileges, and encrypting data. This marks one of the first documented cases of an automated ransomware operation carried out entirely by a machine learning model.
The researchers note that the AI agent adapted to failures during the intrusion in real-time, much like a human operator would handle obstacles. In some instances, it was able to retry failed steps within refined parameters and even adjust its approach after encountering specific errors. For example, in one sequence, the agent went from a failed login attempt to successfully accessing the system in just 31 seconds.
The operation began with initial access gained through an unauthenticated remote code execution vulnerability in Langflow, a popular open-source framework used for building LLM apps. The vendor had fixed this flaw on April 1, 2025, but it was still exploited by attackers targeting internet-exposed endpoints, often deployed with minimal hardening and containing cloud credentials and API keys.
After obtaining code execution through the vulnerability, the AI agent dumped Langflow’s PostgreSQL database, collected host information, searched for environment variables and sensitive files, retrieved credentials, and enumerated a MinIO object store. Sysdig highlights an adaptive approach to MinIO enumeration, where if one API request returned XML instead of JSON, the next payload adjusted its parsing logic accordingly.
The attackers also established persistence on the Langflow host by installing a cron job that beamed data back to their infrastructure every 30 minutes. From there, they pivoted to a production MySQL server running Alibaba Nacos (Naming and Configuration Service), using root credentials whose origin Sysdig couldn’t determine. The agent probed for container escape methods and deployed the ransomware payload.
The captured payloads show the agent encrypting all 1,342 Nacos service configuration items before deleting the originals. According to Sysdig, this was done using MySQL’s AES_ENCRYPT(), with a weaker encryption algorithm likely used instead of the claimed AES-256. The researchers also note that the encryption key is randomly generated but not stored or transmitted to the attacker.
The ransom note claims data was encrypted using AES-256, although the use of AES-128-ECB is more plausible. Sysdig mentions that the Bitcoin address listed in the ransom note is an example address widely used in public documentation and possibly reproduced from training data by the LLM agent. Other signs pointing to AI control include detailed natural-language comments describing operational reasoning and rapid attack iteration.
The case of JadePuffer demonstrates how ‘agentic threat actors’ (ATAs) can conduct damaging cyberattacks with lower skill requirements, thanks to automated tools like LLM agents. At the same time, these generated payloads create new detection opportunities for security solutions. The incident highlights the need for thorough testing and validation across all layers before attackers exploit vulnerabilities.
Security teams often log successful attacks but struggle to alert on them in a timely manner. According to recent data, 54% of successful breaches go unnoticed until after they’ve occurred, with just 14% triggering alerts. This underscores the importance of comprehensive security measures and regular testing to stay ahead of emerging threats.