JADEPUFFER: How an Agentic Ransomware Attack Unfolded
In early July 2026, researchers at Sysdig published an analysis of what they assess to be the first documented case of agentic ransomware. The threat actor, which Sysdig calls JADEPUFFER, launched an extortion attack driven end to end by a large language model (LLM) rather than a conventional human-operated toolkit.
JADEPUFFER gained access to an internet-facing Langflow instance, conducting reconnaissance before moving toward its intended target, and deployed a ransomware payload against a production database. The fact that the LLM chained these techniques together with limited or no human intervention during execution is what makes this attack notable.
It also gives weight to concerns raised around frontier models like Anthropic’s Mythos. Artificial intelligence (AI) is not innovating unheard-of attack techniques, but it is starting to change the delivery and execution speed for familiar payloads like ransomware.
For organizations, that makes agentic ransomware less of a theoretical risk and more of an operational security problem. As the research highlights, defenders now need to prepare for highly adaptive, automated attack chains that compress the window between initial access and impact.
How the JADEPUFFER agentic ransomware attack unfolded
JADEPUFFER targeted Langflow, a popular open-source, Python-based framework for building AI applications. The LLM’s entry point was CVE-2025-3248, a vulnerability affecting Langflow versions before 1.3.0. The vulnerability allows attackers to run code via a flaw in the API of the application.
Sysdig researchers observed that JADEPUFFER’s operation had two targets; the Langflow instance provided initial access, which allowed the LLM to pivot to a separate production database server.
Phase 1: Compromising the Langflow instance
JADEPUFFER’s first move was to exploit CVE-2025-3248 in the exposed Langflow instance. According to Sysdig, the attacker delivered Base64-encoded Python payloads through Langflow’s vulnerable remote code execution endpoint, giving the LLM the ability to run commands on the initial access host.
Once inside, the agent began by mapping the environment. It collected host and system information, including:
- LLM provider API keys
- Cloud credentials
- Cryptocurrency wallets and seed phrases
- Database credentials and configuration files
From there, JADEPUFFER established persistence before pivoting, as the Langflow instance was not the final target. It was the foothold JADEPUFFER used to look for the credentials and context needed to reach something more valuable.
Phase 2: JADEPUFFER pivots and deploys ransomware
According to Sysdig, artifacts from the compromise showed that the intended target was a separate internet-exposed production server running MySQL and Alibaba Nacos, a service discovery and configuration platform commonly used in Alibaba-linked microservice environments.
The activity that followed highlights how effectively JADEPUFFER adapted to challenges through the attack path. The agent attempted to create a backdoor administrator account in Nacos, checked whether the login worked, then adjusted its approach when the result was not satisfactory. Sysdig reported that a corrective payload followed just 31 seconds later, replacing the account and trying again with different parameters.
The ransomware stage focused on the Nacos configuration data. Sysdig observed the agent encrypting 1,342 configuration items, dropping the original configuration and history tables, and creating a ransom note inside the database. The note claimed the data had been encrypted and provided a Bitcoin address and Proton Mail contact for payment. However, Sysdig also found that the encryption key was generated during execution, printed once, and not stored or transmitted. Even if the victim paid the ransom, they would not be able to recover the encrypted configurations.
Was the JADEPUFFER attack fully autonomous?
Sysdig’s assessment is that JADEPUFFER was driven end to end by an LLM once the operation was underway. Several details support this observation:
- Self-narrating code: JADEPUFFER’s payloads included comments and descriptions that explained what the code was doing as it ran. That “thinking out loud” is consistent with LLM-generated code, where the model produces both the action and its rationale.
- Adaptation at machine speed: When one attempt to create access in Nacos did not work as expected, the agent issued a corrected payload 31 seconds later. A human attacker could make the same decision, but the speed of the correction suggests an automated feedback loop.
- Payload variety: Sysdig observed a broad range of payloads across the attack, covering reconnaissance, credential discovery, database access, file-system checks, encryption, and cleanup. The variety matters because it suggests the agent was generating or adapting task-specific code as the environment changed, rather than replaying one static playbook.
- The Bitcoin address: The ransom note included a Bitcoin address and payment instructions that points to an example wallet used in Bitcoin developer documentation. While the wallet was live, Sysdig could not confirm whether the LLM hallucinated the address from training data, or if this was a deliberate decision by JADEPUFFER’s operator.
The threat of malicious LLMs
Taken together, these markers represent an evolution in ransomware automation. Ransomware groups already have repeatable playbooks for intrusion, which agents like JADEPUFFER are well-suited to run. The LLM interpreted results and produced new payloads based on that information, adjusting its course as the attack unfolded. That has a number of implications for organizations looking to defend against AI-led attacks.
Attack speed will increase. JADEPUFFER demonstrated rapid adaptation when one attack route failed, generating a successful alternative in under a minute. LLM-powered threats reduce the time defenders have to detect and contain suspicious activity.
The barrier for entry will be lowered. Attackers no longer need deep expertise across every part of the intrusion chain if they can simply point an LLM at the target. That does not turn every low-skill actor into an advanced threat, but it does make more complex attacks easier to attempt.
Attack chains will become more adaptive. Attackers can task an AI agent to probe a target system and escalate the most promising paths. This was seen when CodeWall pointed an AI agent at McKinsey’s internal chatbot ‘Lilli’. The AI agent mapped Lilli’s attack surface and gained initial access through an unauthenticated endpoint. In less than two hours, CodeWall’s agent gained system-wide access, including revealing the system prompts controlling Lilli’s behavior.
Old vulnerabilities will remain a prime target for attackers. JADEPUFFER used a known vulnerability against an unpatched Langflow instance, then built the rest of the attack from there. That is an important point for defenders: agentic attacks do not need novel entry points if organizations are still carrying known exposure across internet-facing systems.
How can organizations mitigate the risk of agentic hackers?
The defensive lesson from JADEPUFFER is that agentic hackers make exploitation faster and cheaper. It’s crucial that organizations apply robust cybersecurity measures consistently, with detection and response processes that support rapid containment.
- Reduce the internet-facing attack surface: Keep AI orchestration tools, configuration services and database management ports off the public internet wherever possible.
- Maintain insight on, and prioritize, known vulnerabilities: JADEPUFFER exploited a CVE from 2025. Agentic attackers can test large numbers of historical vulnerabilities quickly, making neglected systems attractive targets.
- Store secrets securely: Keep API keys, cloud credentials, database passwords and other secrets out of environment files and local configuration paths. Use a secrets manager and apply least privilege.
- Segment critical systems: A compromised AI application should not provide a direct route to production databases, object storage or configuration services. Network segmentation and source-IP restrictions can limit lateral movement.
- Use the agent’s own output as a detection signal: JADEPUFFER’s payloads contained unusually detailed comments describing objectives, target value and next steps. Defenders should consider monitoring executed scripts and commands for this kind of self-narrating language.
How Outpost24 helps
AI is changing how attackers and defenders operate. The risks may be familiar, but the speed and scale of automated attacks mean security teams need to act faster.
That starts with a clear view of your external attack surface and a prioritized list of the vulnerabilities that matter most. Outpost24’s External Attack Surface Management (EASM), together with our Risk-Based Vulnerability Management (RBVM) tool OutscanNX, provide the necessary visibility. EASM continuously discovers and inventories all internet-facing assets. OutscanNX identifies and prioritizes vulnerabilities across your network and cloud environments, with scoring based on exploit activity, asset criticality, and threat context.
Outpost24’s CyberFlex then helps plan testing around your organization’s risks, with certified penetration testers validating weaknesses and providing practical remediation guidance.
With decades of experience in ethical hacking and attack surface management, Outpost24 helps organizations focus on the most exploitable risks and improve application security. Contact us today to find out how we can help secure your applications.