Cybersecurity firm Sysdig has documented what it calls the first ransomware operation carried out end-to-end by an autonomous AI agent, with no human directing individual steps of the attack.
How the attack unfolded
The operation, which Sysdig named JADEPUFFER, began with a scan for internet-facing servers running Langflow, an open-source tool for building AI applications and agent workflows. The attacker exploited CVE-2025-3248, an unauthenticated remote-code-execution flaw disclosed in April 2025 and later added to the US Cybersecurity and Infrastructure Security Agency’s known-exploited-vulnerabilities list.
From that foothold, an AI agent took over: mapping the compromised machine, harvesting credentials and API keys for services including OpenAI, Anthropic, DeepSeek and Google Gemini, and collecting cloud logins spanning both US providers and Chinese platforms such as Alibaba and Tencent. It then moved laterally to a separate, unrelated production database server, its true target, exploiting a second flaw to create a rogue administrator account before encrypting 1,342 configuration items and deleting the originals.
Signs the attack was AI-driven
Sysdig says the strongest evidence of autonomy came from the payloads themselves, which were saturated with natural-language commentary explaining the reasoning behind each step, including which targets offered the best return before moving on. The agent also adapted in real time: after one login attempt failed, it diagnosed a software configuration issue and issued a corrective, multi-step fix within roughly 31 seconds, faster than a human operator could plausibly have intervened. Researchers counted more than 600 distinct payloads executed across the operation.
“An LLM agent can chain reconnaissance, credential theft, lateral movement, persistence, and destruction without the operator possessing deep expertise in any one step,” Sysdig’s threat research team wrote.
Why it matters
If confirmed as genuinely autonomous, JADEPUFFER would mark a shift in ransomware from a craft requiring specialized skill at each stage to one an operator can largely delegate to an AI system. Sysdig and other researchers describe such actors as “agentic threat actors,” attackers whose capability comes from AI tooling rather than the human directing it. The underlying Langflow vulnerability was patched in version 1.3.0, but researchers note many exposed instances were never updated.