JadePuffer: Sysdig Sniffs Out the First Agentic Ransomware

Ransomware was already disruptive as it is when researchers discovered something even worse – agentic ransomware.
The Sysdig Threat Research Team (TRT) has uncovered the first ever documented case of agentic ransomware, which it elaborates as “a complete extortion operation driven end-to-end by a large language model (LLM)”.
The threat actor, dubbed JadePuffer, is the first documented instance of what Sysdig calls an agentic threat actor (ATA).
With the ATA successfully gaining access to the victim’s database server, executing flawlessly all the steps from reconnaissance, initial access to server takeover and even correcting itself at machine speed when steps go wrong, this fully agentic attack is an unwelcome development in a world already plagued with a growing number of cyber threats.
Agentic threat actor behaviour
JadePuffer, the researchers discovered, had an interesting feature. The payload was self-narrating.
It reasoned in natural language, prioritised its targets and adapted its operation in real-time retrying failed steps using modified parameters.
The Sysdig researchers recount an instance when the ATA went from a failed login to a working fix in a mere 31 seconds.
The initial access and establishment of persistence
Initial access itself was through a known vulnerability in a popular, open-source LLM building framework called Langflow.
CVE-2025-3248, which is a missing-authentication flaw wherein attackers can execute Python code on the host.
Langflow is exposed in many internet facing deployments and is often an attractive entry point for attackers considering how AI-adjacent its servers are and how it holds API keys and cloud credentials in their environment and often do not have network controls.
Once it gained execution, the agent swept the environment parallelly looking for various secrets including LLM API keys from major providers including OpenAI, Anthropic, DeepSeek, Gemini and others, cloud credentials, cryptocurrency wallets, database credentials and configuration files.
After collecting cloud credentials and API keys JadePuffer expanded its access by extracting data from Langflow's PostgreSQL database, recovering stored credentials, API keys and user information before removing the temporary files it had created.
It then explored the internal network, searching for databases, storage systems and secret management services, eventually finding a MinIO object storage server where it identified and retrieved additional credentials from configuration files, adapting its approach when its first attempt did not work.
To maintain persistence or long-term access, the agent installed a scheduled task (cron job) on the compromised Langflow server that contacted attacker-controlled infrastructure every 30 minutes.
Server encryption and ransom note
JadePuffer then pivoted to its apparent target: an internet-facing production server running MySQL and Alibaba Nacos.
Using root MySQL credentials, the origin of which is unknown, the agent autonomously and simultaneously exploited multiple known Nacos authentication weaknesses and inserted a backdoor administrator account into the platform's database.
When its first login attempt failed, it analysed the error, modified its approach and successfully regained access without human intervention, all in 31 seconds.
The skill floor for running ransomware has dropped to whatever it costs to run an agent and if that agent is running on stolen credentials through LLMjacking, the cost to an attacker is close to zero.
With administrative access established, JadePuffer moved to the final stage of the operation by encrypting the victim's Nacos configuration data and replacing it with a ransom note containing payment instructions.
Michael Clark, Senior Director of Threat Research at Sysdig who authored the blog on JadePuffer calls it a “warning sign”.
“It’s a marker of where extortion tradecraft is heading,” Michael writes in the Sysdig blog.
“An autonomous agent reasoned about its targets, harvested and reused credentials, moved laterally, established persistence and destroyed a database, narrating its own intent the entire way.
“None of the individual techniques were novel or sophisticated. What is notable, however, is that an AI model strung them together into a complete ransomware operation against neglected internet-facing infrastructure.”
The most important implication here is severe. “The skill floor for running ransomware has dropped to whatever it costs to run an agent and if that agent is running on stolen credentials through LLMjacking, the cost to an attacker is close to zero,” he notes.
Michael also warns that the volume and breadth of such campaigns will rise as agentic tooling matures, asking defenders to “treat exposed application servers, unhardened configuration stores and internet-facing database admin accounts as the first surfaces that will be attacked”.





