Agentic malware is an attack where an AI agent — not a human operator — plans and carries out most of the attack chain itself: scanning for a way in, exploiting it, stealing credentials, moving across a network, and finishing with theft, encryption, or destruction. A human still picks the target and sets the goal, but the AI decides how to get there, adapting to what it finds along the way. Security researchers increasingly call this an “agentic threat actor” — an attacker whose skill comes from the AI tooling it runs, not from the person behind the keyboard.

From AI-assisted to agentic: a spectrum

Not every AI-linked attack is agentic. Most attacks that use AI today are only AI-assisted: a human still runs each step, and the AI just generates content along the way — a convincing phishing email, a snippet of malware code, a fake voice recording. The human remains the one exploiting the vulnerability, moving through the network, and deciding what to do next.

An agentic attack moves further along that spectrum. The AI itself calls the tools, reads the results, and chooses the next action — recon, then exploitation, then credential theft, then lateral movement — largely without a human approving each individual step.

Two disclosures from Anthropic illustrate the middle and far end of that spectrum. In August 2025, the company reported a single attacker who used its Claude Code tool for nearly every stage of an extortion campaign against more than a dozen organizations, including writing the malware and drafting personalized ransom notes. In November 2025, Anthropic said a state-sponsored group had gone further, using an AI agent to run roughly 80–90% of an espionage campaign across about 30 targets on its own, with humans stepping in only to choose targets and approve a handful of critical decisions per operation.

How an agentic attack actually runs

The cybersecurity firm Sysdig documented what may be the clearest case yet at the fully autonomous end of the spectrum: an operation it named JADEPUFFER. The attack began with a scan for exposed servers running Langflow, a legitimate open-source tool for building AI agents, through an unpatched flaw (CVE-2025-3248) that had been publicly known for over a year. From there, an AI agent took over on its own: mapping the compromised machine, harvesting API keys and cloud credentials, moving to an unrelated production database, and ultimately encrypting more than 1,300 configuration files after deleting the originals.

What convinced researchers the operation was AI-driven, rather than a human quietly at the keyboard, was the pace and the paper trail. The payloads were full of natural-language notes explaining the reasoning behind each move. When one login attempt failed, the agent diagnosed the cause and issued a multi-step fix in roughly 31 seconds — far faster than a human analyst could plausibly react. “An LLM agent can chain reconnaissance, credential theft, lateral movement, persistence, and destruction without the operator possessing deep expertise in any one step,” Sysdig’s researchers wrote.

Why it matters

Agentic attacks change two things that have historically limited ransomware and intrusion campaigns: skill and speed. Running a multi-stage intrusion by hand takes real expertise at each stage — finding an exploitable flaw, escalating access, evading detection. An agentic tool collapses that requirement: the operator supplies a goal and a target, and the AI supplies the expertise. Palo Alto Networks’ Unit 42 built its own agentic-attack framework to test this and compressed a full compromise-to-exfiltration chain — normally days of work — into about 25 minutes, roughly 100 times faster than a typical manual campaign.

That combination — lower skill requirements plus far higher speed — is why security researchers are treating agentic malware as a distinct category worth naming, rather than just another flavor of automated attack tooling.

Can defenses keep up?

The response on the defense side is following the same pattern: AI agents watching for AI agents. Gartner has named “AI SOC agents” — systems that autonomously triage and investigate security alerts — as an emerging product category, and vendors including Microsoft and several security-operations platforms have shipped agentic detection tools that aim to match the speed of an automated attacker rather than a human one. Whether defensive automation can keep pace with attacking automation is, for now, an open contest — see our companion piece on how AI is reshaping cybersecurity for both sides.

In the news

Sysdig’s JADEPUFFER report was one of the first named, documented cases of this pattern in the wild: JADEPUFFER: First Fully Autonomous AI Ransomware Attack.

FAQ

Is agentic malware the same as “AI-generated malware”?
No. AI-generated malware means AI helped write malicious code that a human still deploys and operates. Agentic malware means an AI agent runs the operation itself — deciding what to do at each stage, not just writing what a human tells it to.

Does this require a new, specially trained AI model?
Not necessarily. The documented cases used general-purpose AI agents and coding tools, redirected toward attack tasks — the capability comes from giving an existing agent tools and a goal, not from a purpose-built “hacking AI.”

Can ordinary organizations actually be targeted this way?
Yes. JADEPUFFER began with a scan for an unpatched, publicly known vulnerability in commodity software — the kind of exposure automated scanning finds constantly, not a targeted, resource-intensive human operation.

Sources: Sysdig’s JADEPUFFER report, Anthropic’s disclosures on AI-assisted and agentic cyberattacks, and Palo Alto Networks’ Unit 42 agentic-attack framework research.