cd /news/ai-safety/why-this-fully-agentic-ransomware-at… · home topics ai-safety article
[ARTICLE · art-49650] src=zdnet.com ↗ pub= topic=ai-safety verified=true sentiment=↓ negative

Why this fully agentic ransomware attack is giving researchers nightmares

Security researchers have identified JadePuffer, the first documented case of fully agentic ransomware driven end-to-end by AI. The campaign exploited a vulnerability in Langflow to gain access, steal credentials, and deploy ransomware on a production server. This marks a foundational shift in adversarial capabilities, as AI enables autonomous, machine-speed attacks that can adapt and fix errors in seconds.

read3 min views1 publishedJul 7, 2026
Why this fully agentic ransomware attack is giving researchers nightmares
Image: Zdnet (auto-discovered)

Follow ZDNET: Add us as a preferred source on Google.

ZDNET's key takeaways

  • Researchers have documented a ransomware campaign that appears to be entirely AI-driven.
  • JadePuffer could be the first known case of an AI agent orchestrating a full attack chain.
  • The case underscores the urgency with which organizations must defend themselves.

Security researchers have identified JadePuffer, a ransomware campaign that they're calling the "first documented case of agentic ransomware." The entire operation is driven end-to-end by AI.

Also: 5 ways to fortify your network against the new speed of AI attacks

What is JadePuffer and how does it work? #

According to the cloud security firm Sysdig, JadePuffer uses a large language model (LLM) to handle the campaign without human intervention.

The JadePuffer operator -- or cybercriminal group -- exploited CVE-2025-3248, an unauthenticated remote code execution (RCE) vulnerability in Langflow, an open source builder for agentic AI applications.

JadePuffer's LLM abused the Langflow bug to gain initial access to its target system, performing reconnaissance and scanning the environment to steal credentials, including LLM-related API keys, cloud service credentials, cryptocurrency wallet information, and seed phrases, as well as database credentials and configuration files.

Also: Is your AI agent a security risk? NanoClaw wants to put it in a virtual cage

After establishing persistence in the Langflow environment, the threat actor pivoted to its true target, a production server running an Alibaba Nacos configuration service. Ransomware was then deployed, and files on the server were encrypted before a ransom note demanding payment in Bitcoin was displayed to the victim.

AI's influence #

This playbook has been seen countless times in ransomware campaigns, but what makes it different is its use of an LLM that can adapt and adjust its tactics based on the defenses it encounters:

Self-narrating code: The LLM annotated each payload and step, which explained each task in the attack chain and why the AI made each decision.Failures and fixes: In one step, the LLM failed to access the target system. Within 31 seconds, a fix was calculated, and a new corrective payload was developed and deployed.

Why does JadePuffer matter? #

It appears that JadePuffer may be one of the earliest examples of a ransomware campaign deployed and managed by an LLM.

Noelle Murata, chief operating officer of Xcape Inc., says that the JadePuffer case "marks a foundational shift in adversarial capabilities," highlighting how AI can be used to pivot cyberattackers from scripted -- and rigid -- techniques to "autonomous, machine-speed execution."

Also: 5 security tactics your business can't get wrong in the age of AI - and why they're critical

This case is likely going to give security defenders some sleepless nights. The problem is that AI and LLMs are often faster than humans at performing computing tasks, and while AI errors and hallucinations could impact the success of an LLM-controlled malicious campaign, AI can rapidly adapt -- and the time defenders have to respond shrinks.

"By leveraging a large language model to independently navigate the entire cyber kill chain, diagnose its own execution errors, and rewrite payloads in seconds, this operation renders conventional, human-dependent incident response models completely obsolete," Murata said. "While the agent relied entirely on unpatched legacy vulnerabilities and public tools to gain initial access, its ability to execute an end-to-end campaign without human intervention severely compresses the detection and containment window for defenders."

How can businesses respond? #

How organizations can respond effectively to the next evolution of AI-driven cybercrime remains to be seen. However, it could be that human, manual triage and incident response won't be enough in a few short years.

Also: Want a private ChatGPT alternative? How Proton's Lumo 2.0 locks down your data, EU style

Security experts recommend behavior-based detection models to combat not only AI but also insider threats, and it's likely that future defenders will need to deploy their own AI solutions to defend their networks. Automated monitoring systems, advanced identity management, and endpoint protection, alongside layered, proactive security measures, could make the difference.

Security

Editorial standards

── more in #ai-safety 4 stories · sorted by recency
── more on @sysdig 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/why-this-fully-agent…] indexed:0 read:3min 2026-07-07 ·