Sysdig Uncovers First Known Agentic AI Run Ransomware Campaign

Agentic AI Ransomware Campaign Entered Through Exposed AI Infrastructure, Sysdig Finds

Published on Jul 6, 2026
Akshaya Asokan Written by Akshaya Asokan
Sysdig Uncovers First Known Agentic AI Run Ransomware Campaign

Security researchers have uncovered the first instance of an agentic AI-run ransomware campaign.

The campaign was uncovered by cloud security firm Sysdig, which attributed the attack to a threat group it calls JADEPUFFER. The campaign specifically targeted an internet-exposed production server running a MySQL database and an Alibaba Nacos configuration running on Langflow, an open-source framework for building large language applications and agentic workflows.

“The most striking characteristic, however, was the LLM’s behavior. JADEPUFFER’s own payloads were self-narrating. They contained natural language reasoning, target prioritization, and the kind of detailed annotations that human operators don’t often write but LLM-generated code produces reflexively,” Sysdig said.

The campaign began with the attackers exploiting a critical missing-authentication vulnerability flaw tracked as CVE-2025-3248 in Langflow that enables attackers to execute arbitrary Python on the host.

“Langflow is an attractive entry point because its servers are AI-adjacent, frequently hold provider API keys and cloud credentials in their environment, and are often stood up quickly without network controls,” Sysdig said.

How The Attack Worked

The attacks unfolded in two phases, with the hackers attempting to gain cloud credentials and API keys for OpenAI, Anthropic, and other popular frontier models. The hackers then scanned for endpoints with default credentials and proceeded to probe MinIO used in on-premises and cloud-native stacks to store application data, backups, ML models, and infrastructure state. MinIO bucket enumeration allowed the attackers to carry out targeted credential extraction.

Using the harvested credentials and API, the hackers pivoted to Alibaba Nacos configuration services, which they compromised using multiple vectors. These included auth bypass using the Langflow vulnerability, using a valid JSON web key and injecting a backdoor administrator directly into the Nacos backing database.

Once compromised, the attackers encrypted all the exfiltrated Nacos service configuration.

Evidence Of AI-Driven Attacks

Sysdig determined that the latest JADEPUFFER campaign is driven by agentic AI based on several characteristics. These included the use of self-narrating code in the payloads explaining each action, such as identifying the “largest” database.

The other indicators included the ability of the system to detect a failed action, then take corrective steps faster than a human operator, and taking “an action that only makes sense if that text was read and understood.”

Finally, Sysdig also raises suspicion about the use of a widely used Bitcoin wallet in the ransom note, which could indicate that the AI system hallucinated the address from training data. “Human operators do not annotate disposable python3 -c one-liners this way, but LLM code-generation does so by default. The narration is internal to the attacker’s own payloads, not inferred,” the report said.

Although the tactics deployed in the campaign are not “novel or sophisticated,” Sysdig adds the campaign showcases how LLM agents can be used by ransomware hackers for reconnaissance, credential theft, lateral movement, persistence, and destruction. It also showcases how attackers are weaponizing old vulnerabilities at speed, the report added.

“Defenders should expect the volume and breadth of such campaigns to rise as agentic tooling matures, and they should treat exposed application servers, unhardened configuration stores, and internet-facing database admin accounts as the first surfaces that will be attacked,” Sysdig said.

This field is for validation purposes and should be left unchanged.

FREE NEWSLETTER

Cyber Weekly

Get curated cybersecurity news, threats and insights delivered free every Thursday.

Written By Written By
Akshaya Asokan
Akshaya Asokan Freelance Journalist

Akshaya Asokan is a U.K.-based cybersecurity and technology journalist with experience covering nation‑state hacking operations, cyber and tech policy, and emerging cybercrime trends. She previously served as the senior European cybersecurity correspondent for Information Security Media Group’s Global News Desk. Before that, she reported on IT developments for IDG Media and covered artificial intelligence and machine learning for Analytics India Magazine. Earlier in her career, she wrote on sexual and religious minority rights as a reporter for The New Indian Express.