Sysdig Unveils Groundbreaking AI-Driven Ransomware Campaign: JadePuffer
Cloud security firm Sysdig has recently revealed what it claims is the world’s first ransomware campaign entirely executed by a Large Language Model (LLM). This innovative approach marks a significant evolution in cyber threats, raising alarms about the future of cybersecurity.
The campaign, named JadePuffer, targeted an internet-facing instance of Langflow by exploiting a known vulnerability designated CVE-2025-3248. According to Sysdig’s Threat Research Team, the attack was characterized as an “adaptive and fully automated campaign,” resulting in a targeted and destructive playbook aimed at extorting the victim’s production database server. This incident signifies a paradigm shift in how ransomware is executed, moving away from traditional human-operated methods.
In the research conducted by Sysdig, the capabilities of the attack were delivered not by a human but through an agent designed to operate autonomously. This LLM was adept at retrying failed steps within specified parameters, showcasing an unnerving level of sophistication. For instance, in a particular sequence, the AI transitioned from a failed login attempt to a successful workaround in just 31 seconds, demonstrating its rapid adaptive capabilities.
The multi-stage approach employed during the attack initiated with several key elements:
- Vulnerability Exploitation: The attackers gained access to Langflow utilizing the CVE-2025-3248 vulnerability.
- Reconnaissance and Credential Harvesting: The LLM hunted for various sensitive elements such as APIs, cloud credentials, and database logins.
- Local Data Theft: Attackers extracted sensitive data, including Langflow’s underlying Postgres database.
- Lateral Discovery: Once inside, they explored services reachable from the Langflow host.
- MinIO Object-Store Enumeration: Credential harvesting extended to MinIO object-stores as well.
- Creation of Persistent Access: A cron job was established on the Langflow server to ensure ongoing access.
- Targeting Production Servers: The attackers leveraged root credentials to exploit a production MySQL server running Alibaba Nacos, a naming and configuration service.
- Widespread Data Destruction: The campaign culminated in targeting Nacos with various payloads, which included exploiting another vulnerability, CVE-2021-29441.
The primary objective of the JadePuffer campaign appears to have been mass data destruction. The attackers encrypted all 1,342 Nacos service configuration items, deleting the originals in the process. Sysdig noted a crucial aspect of the encryption method: the AES key was generated randomly and was never stored or transmitted, making recovery impossible even if the ransom was paid. This emerged as a significant hurdle for the victims, who found themselves unable to recover their encrypted configurations.
Additionally, Sysdig reported that captured payloads indicated the LLM escalated from actions like row-level deletions to complete database schema drops, explaining its targeting rationale in the process. Interestingly, an IP address (64.20.53[.]230) was noted in the attack outputs but without any evidence of backed-up data, raising further concerns about the efficiency and resilience of data management practices.
Key Insights from Sysdig’s Discovery
Sysdig emphasized four critical takeaways from the JadePuffer incident:
-
AI-Driven Ransomware: The campaign indicates that ransomware can now be executed autonomously by LLM agents, eliminating the need for highly skilled human threat actors. The entire spectrum of activities, from reconnaissance to credential theft and persistent access, can occur without operator involvement.
-
Automation of Old Vulnerabilities: The exploitations leveraged long-standing vulnerabilities, such as a 2021 Nacos authentication bypass and overlooked default signing keys, indicating that neglected, internet-exposed infrastructures remain highly vulnerable.
-
New Detection Opportunities: The LLM’s inherent narrative ability within its payloads presents a unique opportunity for detection. Security professionals can utilize the rationale provided by the AI to enhance triage and defensive responses.
- Challenge with Exfiltration Claims: The assertion regarding data exfiltration must be viewed critically. Sysdig highlighted that the ephemeral nature of the AES key made the victim’s configurations irretrievable, regardless of any ransom payments made.
Heath Renfrow, co-founder and CISO at breach recovery firm Fenix24, underscored the urgency presented by such AI-driven attacks. He argued that if an AI agent can perform tasks that previously required hours of manual effort in mere minutes, then networks are at greater risk. This enhanced speed affects every phase of an incident, including detection, containment, and recovery efforts.
Renfrow advised organizations to look beyond the label of “AI-powered” when evaluating the threat landscape. The outcomes remain consistent: compromised identities, stolen credentials, and disrupted business operations. He urged security teams to prioritize fundamental measures such as rapid patching of vulnerable systems, implementing strong identity protections, employing least privilege access, practicing network segmentation, maintaining continuous monitoring, and curbing unnecessary external exposure.
In summary, Sysdig’s JadePuffer campaign exemplifies an alarming trend in cybersecurity, where advanced AI technologies simplify and accelerate destructive cyber operations. As the threat landscape evolves, organizations must not only bolster their defenses but also adapt to the realities posed by these emerging threats.

