A fully autonomous AI agent conducted an end-to-end cyber intrusion and extortion campaign after exploiting a vulnerable Langflow server, demonstrating how large language models could accelerate ransomware operations, according to research published by Sysdig.
Sysdig detailed the operation in a research paper, saying the AI agent, dubbed JadePuffer, completed the entire intrusion chain, from initial access to database extortion, using an LLM to adapt its actions and execute more than 600 coordinated payloads.
“The Sysdig Threat Research Team (TRT) has captured what we assess to be the first documented case of agentic ransomware: a complete extortion operation driven end-to-end by a large language model (LLM),” Michael Clark, director of threat research at Sysdig, wrote in the paper.
Sysdig classifies JadePuffer as an agentic threat actor, meaning its attack capability was delivered by an AI agent rather than a human-driven toolkit.
A known flaw opens the door
According to Sysdig, JadePuffer gained initial access by exploiting CVE-2025-3248, an RCE vulnerability in an internet-facing Langflow instance, before pivoting to a production server running MySQL and Alibaba’s Nacos configuration platform.
The AI agent harvested credentials, established persistence, mapped internal services, and ultimately encrypted 1,342 Nacos configuration records before deleting the original tables and leaving behind a Bitcoin ransom demand.
Clark wrote that what distinguished the campaign was not the exploitation techniques, which largely relied on known vulnerabilities and misconfigurations, but the AI agent’s ability to make operational decisions throughout the intrusion.
Sysdig said the operation touched two separate machines: the compromised Langflow host that provided initial access, and a second production database server that was the agent’s true objective. All payloads, the researchers said, were delivered as Base64-encoded Python sent through the Langflow remote-code-execution endpoint.
“The most striking characteristic, however, was the LLM’s behavior,” he wrote. “JADEPUFFER’s own payloads were self-narrating. They contained natural language reasoning, target prioritization, and the kind of detailed annotations that human operators don’t often write but LLM-generated code produces reflexively.”
The paper cited multiple instances where the AI agent diagnosed failures and generated corrected payloads without human intervention. In one case, it recovered from a failed attempt to create an administrator account in Alibaba’s Nacos platform within 31 seconds. Sysdig said the behavior, along with self-narrating code and contextual reasoning, supported its assessment that the operation was LLM-driven.
Experts see evolution, not a revolution
Independent cybersecurity researcher and red teamer Vibhum Dubey said the campaign represents “an evolution in execution” rather than a fundamentally new ransomware technique.
“I see it more as an evolution in execution than a completely new ransomware technique,” Dubey said. “Attackers have automated reconnaissance, credential theft, and deployment for years. The difference is that an AI agent can connect those stages together and make decisions without waiting for a human operator.”
Adaptive decision making is the biggest concern, he said. “Traditional detections assume attackers follow fairly predictable paths. An AI agent can quickly change tactics if something is blocked, making every intrusion look slightly different. I’m less worried about the encryption stage than the quiet phase beforehand, where the agent maps identities, privileges, and trust relationships while avoiding detection.”
Rather than focusing on individual tools, defenders should prioritize detecting attacker behavior, including suspicious identity activity, privilege escalation, abnormal authentication patterns, and unusual sequences of actions across systems, Dubey said.
Although AI lowers the operational barrier for ransomware campaigns, it does not replace experienced attackers, he added. “Where AI makes a difference is helping less experienced operators chain together post-exploitation activities more effectively. Defenders should assume future intrusions will move faster and require less hands-on interaction from the attacker.”
Behavioral detection remains key
Autonomous AI agents capable of independently executing multiple stages of an attack represent “an evolution rather than a revolution,” said Prashant Sharma, cybersecurity consultant at Cyble.
“AI-assisted techniques have been in use for some time, but the emergence of autonomous agents capable of independently executing multiple stages of an attack could substantially increase the speed, scale, and adaptability of ransomware operations,” Sharma said.
He said threat actors are already using AI to improve phishing, malware development, reconnaissance, and social engineering, and he expects autonomous capabilities to become more common as the technology matures.
For enterprise defenders, however, the security priorities remain largely unchanged.
“Modern EDR, XDR, and SOC platforms are built to flag malicious behavior rather than the underlying technology driving it,” Sharma said. “Whether an attack is carried out manually or orchestrated by an AI agent, actions such as credential abuse, privilege escalation, lateral movement, data exfiltration, and ransomware deployment still leave detectable behavioral traces.”