Researchers identified what they believe is the first documented case of a ransomware operation, JadePuffer, conducted entirely by a large language model (LLM) agent.
According to cloud security company Sysdig, JadePuffer used an autonomous AI agent for reconnaissance on the target, to steal credentials, move laterally, establish persistence, escalate privileges, and to encrypt data.
The researchers say that the AI agent adapted to failures during the intrusion, much like a human operator would handle obstacles.
“The operation also adapted in real time, retrying failed steps within refined parameters. In one sequence, it went from a failed login to a working fix in 31 seconds,” Sysdig says.
From initial access to encryption
JadePuffer gained initial access to the target by exploiting CVE-2025-3248, an unauthenticated remote code execution vulnerability in Langflow, a popular open-source framework used for building LLM apps.
The vendor fixed the flaw on April 1, 2025, and in early May of the same year, CISA tagged it as exploited in attacks targeting internet-exposed endpoints, usually deployed with minimal hardening but containing cloud credentials and API keys.
After obtaining code execution through CVE-2025-3248, the AI agent dumped Langflow's PostgreSQL database, collected host information, searched for environment variables and sensitive files, retrieved credentials, and enumerated a MinIO object store.
Sysdig highlights the adaptive approach to MinIO enumeration, where if one API request returned XML instead of JSON, the next payload adjusted its parsing logic accordingly.
JadePuffer also established persistence on the Langflow host by installing a cron job on the server, which was configured to beacon to the attacker’s infrastructure every 30 minutes.
... continue reading