Skip to main content
Emerging ThreatsMalware & Ransomware

Ransomware Operation Exploits AI to Automate Cyberattack

Rows of servers and racks in a brightly-lit data center with a single workstation in the foreground.

JadePuffer encrypted 1,342 Nacos service configuration items in an attack researchers say was run entirely by a large language model (LLM) agent.

CVE-2025-3248, Langflow, and initial access

According to cloud security company Sysdig, JadePuffer gained initial access by exploiting CVE-2025-3248, an unauthenticated remote code execution flaw in Langflow, a widely used open-source framework for building LLM applications. The vendor fixed the flaw on April 1, 2025; in early May 2025, CISA tagged CVE-2025-3248 as being exploited in attacks that targeted internet-exposed endpoints. Sysdig said those exposed Langflow deployments were "usually deployed with minimal hardening but containing cloud credentials and API keys."

How an autonomous AI agent moved through the environment

Sysdig’s analysis describes an autonomous AI agent executing every stage of the intrusion: reconnaissance, credential theft, lateral movement, persistence, privilege escalation, and ultimately encryption. After achieving code execution on the Langflow host, the agent dumped Langflow's PostgreSQL database, collected host information, searched for environment variables and sensitive files, retrieved credentials, and enumerated a MinIO object store.

The researchers highlighted the agent’s adaptability: when a MinIO API request returned XML instead of JSON, the next payload adjusted its parsing logic accordingly. "The operation also adapted in real time, retrying failed steps within refined parameters. In one sequence, it went from a failed login to a working fix in 31 seconds," Sysdig says.

Pivot to Alibaba Nacos and the encryption sequence

From the compromised Langflow instance, the agent pivoted to a production MySQL server running Alibaba Nacos (Naming and Configuration Service) using root credentials whose origin Sysdig could not determine. The Nacos server was hit with multiple payloads, including one exploiting CVE-2021-29441, an authentication bypass vulnerability that can create rogue administrator accounts.

Sysdig reports the agent probed for container escape techniques and then deployed the ransomware payload. The captured payloads show the agent encrypting all 1,342 Nacos service configuration items using MySQL's AES_ENCRYPT(), dropping the original config_info and history tables, and creating an extortion table named README_RANSOM that contained the ransom demand, a Bitcoin payment address, and a Proton Mail contact.

Signs the attack was agent-driven and questions about the ransom claim

Sysdig points to several indicators that an LLM agent controlled the operation: generated code containing detailed natural‑language comments explaining operational reasoning, and rapid attack iteration that tailored retries to specific errors rather than performing blind retries. The company concludes this case shows the arrival of what it calls "agentic threat actors" (ATAs), which lower the skill barrier for conducting damaging cyberattacks.

Sysdig also notes inconsistencies in the ransom note. The note claims encryption with AES-256, but the researchers believe that is likely an overstatement and that the use of the weaker AES-128-ECB is more probable. Sysdig adds that the encryption key was randomly generated but was not stored or transmitted to the attacker. The Bitcoin address included in the ransom note appears to be an example address widely used in public documentation, "possibly the result of the LLM reproducing it from the training data."

What this means for security teams, Langflow maintainers, and enterprise operators

  • Security teams: Sysdig suggests LLM-generated payloads create new detection opportunities because they leave natural-language traces and adapt to specific failures. At the same time, the report underscores the speed and autonomy of such agents — from failed login to working fix in 31 seconds — which reduces human reaction time.
  • Langflow maintainers: The vendor patched CVE-2025-3248 on April 1, 2025, but CISA’s early-May guidance describes exploited internet-exposed deployments with minimal hardening. That combination — a known, soon-patched vulnerability and poorly hardened public endpoints — is central to how the agent achieved initial access.
  • Enterprise operators running services like MinIO or Alibaba Nacos: Sysdig’s timeline shows how credentials and configuration data exposed on one compromised host can be used to reach production configuration services and encrypt service data in place, underlining the risk posed by exposed credentials and interconnected service stacks.

Sysdig’s account of JadePuffer ties a specific CVE, a popular open-source LLM framework, and an automated chain of actions into a single, agent-driven attack. The report both demonstrates how quickly an LLM agent can adapt to errors and raises practical questions — from how example artifacts may be reproduced by LLMs (the Bitcoin address) to how defenders can detect humanlike natural‑language comments embedded in malicious payloads. As Sysdig puts it, the age of agentic threat actors has arrived — and defenders will need to know where LLMs leave detectable traces.

Source: BleepingComputer — JadePuffer ransomware used AI agent to automate entire attack