Security researchers have uncovered the first instance of an agentic AI-run ransomware campaign.
The campaign was uncovered by cloud security firm Sysdig, which attributed the attack to a threat group it calls JADEPUFFER. The campaign specifically targeted an internet-exposed production server running a MySQL database and an Alibaba Nacos configuration running on Langflow, an open-source framework for building large language applications and agentic workflows.
“The most striking characteristic, however, was the LLM’s behavior. JADEPUFFER’s own payloads were self-narrating. They contained natural language reasoning, target prioritization, and the kind of detailed annotations that human operators don’t often write but LLM-generated code produces reflexively,” Sysdig said.
The campaign began with the attackers exploiting a critical missing-authentication vulnerability flaw tracked as CVE-2025-3248 in Langflow that enables attackers to execute arbitrary Python on the host.
“Langflow is an attractive entry point because its servers are AI-adjacent, frequently hold provider API keys and cloud credentials in their environment, and are often stood up quickly without network controls,” Sysdig said.
How The Attack Worked
The attacks unfolded in two phases, with the hackers attempting to gain cloud credentials and API keys for OpenAI, Anthropic, and other popular frontier models. The hackers then scanned for endpoints with default credentials and proceeded to probe MinIO used in on-premises and cloud-native stacks to store application data, backups, ML models, and infrastructure state. MinIO bucket enumeration allowed the attackers to carry out targeted credential extraction.
Using the harvested credentials and API, the hackers pivoted to Alibaba Nacos configuration services, which they compromised using multiple vectors. These included auth bypass using the Langflow vulnerability, using a valid JSON web key and injecting a backdoor administrator directly into the Nacos backing database.
Once compromised, the attackers encrypted all the exfiltrated Nacos service configuration.
Evidence Of AI-Driven Attacks
Sysdig determined that the latest JADEPUFFER campaign is driven by agentic AI based on several characteristics. These included the use of self-narrating code in the payloads explaining each action, such as identifying the “largest” database.
The other indicators included the ability of the system to detect a failed action, then take corrective steps faster than a human operator, and taking “an action that only makes sense if that text was read and understood.”
Finally, Sysdig also raises suspicion about the use of a widely used Bitcoin wallet in the ransom note, which could indicate that the AI system hallucinated the address from training data. “Human operators do not annotate disposable python3 -c one-liners this way, but LLM code-generation does so by default. The narration is internal to the attacker’s own payloads, not inferred,” the report said.
Although the tactics deployed in the campaign are not “novel or sophisticated,” Sysdig adds the campaign showcases how LLM agents can be used by ransomware hackers for reconnaissance, credential theft, lateral movement, persistence, and destruction. It also showcases how attackers are weaponizing old vulnerabilities at speed, the report added.
“Defenders should expect the volume and breadth of such campaigns to rise as agentic tooling matures, and they should treat exposed application servers, unhardened configuration stores, and internet-facing database admin accounts as the first surfaces that will be attacked,” Sysdig said.