# Why this fully agentic ransomware attack is giving researchers nightmares

> Source: <https://www.zdnet.com/article/jadepuffer-fully-agentic-ransomware-attack-researchers-nightmares/>
> Published: 2026-07-07 15:49:02+00:00

# Why this fully agentic ransomware attack is giving researchers nightmares

*Follow ZDNET: *[Add us as a preferred source](https://www.google.com/preferences/source?q=zdnet.com)* on Google.*

### ZDNET's key takeaways

- Researchers have documented a ransomware campaign that appears to be entirely AI-driven.
- JadePuffer could be the first known case of an AI agent orchestrating a full attack chain.
- The case underscores the urgency with which organizations must defend themselves.

Security researchers have identified JadePuffer, a ransomware campaign that they're calling the "first documented case of agentic ransomware." The entire operation is driven end-to-end by AI.

**Also: 5 ways to fortify your network against the new speed of AI attacks**

## What is JadePuffer and how does it work?

According to the cloud security firm [Sysdig](https://www.sysdig.com/blog/jadepuffer-agentic-ransomware-for-automated-database-extortion#link={%22role%22:%22standard%22,%22href%22:%22https://www.sysdig.com/blog/jadepuffer-agentic-ransomware-for-automated-database-extortion%22,%22target%22:%22_blank%22,%22absolute%22:%22%22,%22linkText%22:%22Sysdig%22}), JadePuffer uses a large language model (LLM) to handle the campaign without human intervention.

The JadePuffer operator -- or cybercriminal group -- exploited [CVE-2025-3248](https://nvd.nist.gov/vuln/detail/CVE-2025-3248), an unauthenticated remote code execution (RCE) vulnerability in Langflow, an open source builder for agentic AI applications.

JadePuffer's LLM abused the Langflow bug to gain initial access to its target system, performing reconnaissance and scanning the environment to steal credentials, including LLM-related API keys, cloud service credentials, cryptocurrency wallet information, and seed phrases, as well as database credentials and configuration files.

**Also: Is your AI agent a security risk? NanoClaw wants to put it in a virtual cage**

After establishing persistence in the Langflow environment, the threat actor pivoted to its true target, a production server running an Alibaba Nacos configuration service. Ransomware was then deployed, and files on the server were encrypted before a ransom note demanding payment in Bitcoin was displayed to the victim.

## AI's influence

This playbook has been seen countless times in ransomware campaigns, but what makes it different is its use of [an LLM](https://www.zdnet.com/article/ai-is-making-cybercriminal-workflows-more-efficient-too-openai-finds/) that can adapt and adjust its tactics based on the defenses it encounters:

**Self-narrating code**: The LLM annotated each payload and step, which explained each task in the attack chain and why the AI made each decision.**Failures and fixes:** In one step, the LLM failed to access the target system. Within 31 seconds, a fix was calculated, and a new corrective payload was developed and deployed.

## Why does JadePuffer matter?

It appears that JadePuffer may be one of the earliest examples of a ransomware campaign deployed and managed by an LLM.

Noelle Murata, chief operating officer of Xcape Inc., says that the JadePuffer case "marks a foundational shift in adversarial capabilities," highlighting how AI can be used to pivot cyberattackers from scripted -- and rigid -- techniques to "autonomous, machine-speed execution."

**Also: 5 security tactics your business can't get wrong in the age of AI - and why they're critical**

This case is likely going to give security defenders some sleepless nights. The problem is that AI and LLMs are often faster than humans at performing computing tasks, and while AI errors and hallucinations could impact the success of an LLM-controlled malicious campaign, AI can rapidly adapt -- and the time defenders have to respond shrinks.

"By leveraging a large language model to independently navigate the entire cyber kill chain, diagnose its own execution errors, and rewrite payloads in seconds, this operation renders conventional, human-dependent incident response models completely obsolete," Murata said. "While the agent relied entirely on unpatched legacy vulnerabilities and public tools to gain initial access, its ability to execute an end-to-end campaign without human intervention severely compresses the detection and containment window for defenders."

## How can businesses respond?

How organizations can respond effectively to the next evolution of AI-driven cybercrime remains to be seen. However, it could be that human, manual triage and incident response won't be enough in a few short years.

**Also: Want a private ChatGPT alternative? How Proton's Lumo 2.0 locks down your data, EU style**

Security experts recommend [behavior-based detection models](https://www.zdnet.com/article/5-ways-to-fortify-your-network-against-ai-attacks/) to combat not only AI but also insider threats, and it's likely that future defenders will need to deploy their own AI solutions to defend their networks. Automated monitoring systems, advanced identity management, and endpoint protection, alongside layered, proactive security measures, could make the difference.

#### Security

[Editorial standards](/editorial-guidelines/)
