Cybersecurity researchers have identified the first documented case of a fully autonomous ransomware operation by AI agents, marking what could become a significant turning point for enterprise cyber resilience.
According to cloud cybersecurity firm Sysdig’s Threat Research Team (TRT), an AI-powered threat actor it has named JADEPUFFER conducted an end-to-end ransomware campaign without evidence of direct human intervention during the attack. Rather than relying on a traditional operator manually directing each stage, the campaign used a large language model (LLM) to execute reconnaissance, credential theft, lateral movement, persistence, privilege escalation and ransomware deployment.
The attack exploited CVE-2025-3248, a remote code execution vulnerability affecting Langflow, an open-source framework used to build LLM-powered applications and AI workflows. From an exposed Langflow instance, the agent moved through the victim’s environment before targeting a production database server. As Michael Clark, Director of Threat Research at Sysdig, explained in a blog post:
“JADEPUFFER is considered an agentic threat actor (ATA), or an operator whose attack capability is delivered by an AI agent rather than a human-driven toolkit.”
For customer-facing organizations increasingly embedding AI into digital experiences, the incident indicates that AI infrastructure is becoming a new attack surface while attackers themselves are beginning to use AI as an autonomous operator.
An Attack That Adapted in Real Time
Unlike conventional ransomware, which typically follows predefined scripts or requires continuous operator input, JADEPUFFER demonstrated the striking ability to reason through problems and adjust its approach during execution.
“JADEPUFFER’s own payloads were self-narrating. They contained natural language reasoning, target prioritization, and the kind of detailed annotations that human operators don’t often write but LLM-generated code produces reflexively,” Clark wrote.
Sysdig researchers observed the AI modifying its own tactics in real time after unsuccessful attempts, diagnosing failures and generating revised payloads within seconds. In one example, after a failed attempt to create an administrative account on a Naming and Configuration Service (Nacos) server, the agent identified the likely cause, regenerated its code and successfully completed the compromise just 31 seconds later.
The campaign also narrated its own decision-making inside its generated Python payloads, explaining why it prioritised specific systems, databases and credentials before carrying out destructive actions.
These characteristics distinguish the campaign from traditional automated tooling, Clark wrote. “The evidence points to an autonomous agent driving the operation rather than a human operator or a fixed toolkit.”
AI Infrastructure Becomes the Initial Target
The attack unfolded across two targets—the Internet-facing Langflow instance that allowed initial access and a separate production database server that was its target. It began with an exposed Langflow deployment, highlighting the growing security risks surrounding AI orchestration platforms.
Researchers found the compromised server was systematically searched for:
- LLM provider API keys
- Cloud credentials across AWS, Azure, Google Cloud and major Chinese cloud providers
- Database credentials
- Cryptocurrency wallets
- Configuration files and environment variables
The agent then enumerated internal services, harvested credentials from a MinIO object storage deployment, established persistence via a scheduled beacon and pivoted to its intended production target.
The findings indicate that AI application servers may increasingly become high-value entry points because they frequently contain privileged credentials needed to connect AI models with enterprise systems.
From Compromise to Destruction
After gaining access to a production MySQL server and a Nacos configuration platform, the AI agent demonstrated increasingly sophisticated behavior.
It attempted multiple authentication bypass techniques simultaneously, forged JWT tokens, created administrator accounts directly in the database and conducted systematic privilege escalation checks before launching ransomware.
Rather than encrypting individual files, JADEPUFFER encrypted more than 1,300 Nacos configuration records using MySQL’s AES_ENCRYPT() functionality before deleting the original databases and replacing them with an extortion note demanding Bitcoin payment.
Researchers also found the encryption key was generated randomly and never stored or transmitted, making recovery effectively impossible even if a victim chose to pay the ransom.
Why Customer Experience Leaders Should Pay Attention
While the attack focused on infrastructure, its implications extend well beyond cybersecurity teams.
Modern customer experiences increasingly rely on AI-powered applications, digital platforms, API integrations and cloud-native architectures. Many enterprises are rapidly deploying LLM-based assistants, automation tools and orchestration frameworks such as Langflow to improve customer engagement and employee productivity.
Those same platforms may now become preferred entry points for autonomous attackers.
An attack capable of independently compromising customer-facing systems, configuration platforms or cloud infrastructure has the potential to disrupt digital services, expose sensitive customer information and significantly impact brand trust.
As AI adoption accelerates across customer operations, security increasingly becomes a core component of delivering reliable customer experiences.
Preparing For Fully Autonomous Threats
The emergence of agentic attackers also changes how enterprises should think about cyber resilience.
Security programs have largely been designed around the assumption that attackers are constrained by human time, expertise and operational capacity. Autonomous AI agents challenge that assumption.
The efficiency gains AI delivers for businesses are equally available to cybercriminals. As Miguel Fornés, Governance & Compliance Manager at Surfshark, observed in a CX Today discussion: “That efficiency, right now, it’s being weaponized. Attackers are using AI ruthlessly.” As autonomous agents become capable of executing increasingly complex attacks at machine speed, organisations will need to rethink how they defend digital infrastructure.
“AI changes the IT and security business forever. It’s not going to go backwards…Traditional security is not going to work. Ramping up with a lot more human power security teams, it’s not going to work as well.”
Instead, enterprises will increasingly need AI-assisted detection, automated response capabilities and continuous exposure management to keep pace with AI-driven threats.
An AI-driven attacker can rapidly test multiple attack paths simultaneously, learn from failed attempts, chain together older vulnerabilities and continue operating without waiting for human decision-making. That reduces the cost of sophisticated attacks while increasing their scale.
As Sysdig noted: “Ransomware is no longer a craft for the highly skilled: An LLM agent can chain reconnaissance, credential theft, lateral movement, persistence, and destruction without the operator possessing deep expertise in any one step.”
For enterprise leaders, preparation increasingly means assuming that future adversaries will operate continuously, adapt during attacks and exploit overlooked weaknesses across AI infrastructure, identity systems and cloud environments.
This requires organizations to move beyond periodic vulnerability management toward continuous exposure management, runtime detection and identity protection. AI platforms should be treated as production-critical assets rather than experimental environments, with Internet exposure minimized, secrets removed from application hosts, administrative access tightly restricted and outbound network activity closely monitored.
Security operations teams will need greater visibility into AI workloads, while customer experience, digital and IT leaders will need to ensure that AI initiatives involve governance, infrastructure hardening and incident response planning from the outset.
The emergence of autonomous attackers also raises the prospect of AI-versus-AI security, where defensive systems increasingly need to detect and respond to machine-speed attacks without relying solely on human analysts.
AI Agents Will Increasingly Uncover Yesterday’s Forgotten Vulnerabilities
One of the more significant implications of the JADEPUFFER attack is that autonomous AI agents are capable of systematically working through decades of historical flaws that organizations may not have identified, or assumed would never be exploited.
After compromising the initial Langflow server, the agent targeted a 2021 authentication bypass in Nacos alongside an unchanged default signing key that has been publicly documented for years. Neither issue was new, but they enabled the AI agent to compromise a production environment with minimal resistance.
As Sysdig noted, “agents make spraying the entire historical vulnerability catalogue effectively free, so the long tail of unpatched systems becomes more exposed, not less.”
That observation aligns with broader research into the capabilities of frontier AI models. Before releasing its Mythos-class models with guardrails, Anthropic warned that they are capable of autonomously identifying and exploiting zero-day vulnerabilities across every major operating system and web browser. Many of the vulnerabilities it uncovered had remained hidden for decades, including a now-patched 27-year-old flaw in OpenBSD, an operating system widely regarded for its security.
Anthropic said many of the bugs its model discovered were between 10 and 20 years old and had survived years of human review because they were subtle and difficult to detect.
This indicates that “old” no longer means “low priority” for enterprise security teams. Long-standing technical debt, legacy systems and internet-facing services running years-old software may become increasingly attractive targets as AI agents make exhaustive vulnerability hunting both inexpensive and highly scalable.
How Enterprises Can Prepare For Autonomous AI Cyber Attacks
Sysdig made several recommendations for organizations to strengthen their defenses:
- Patch Langflow deployments affected and avoid exposing code-execution endpoints to the public Internet.
- Remove provider API keys and cloud credentials from AI application environments wherever possible.
- Harden Nacos deployments by replacing default signing keys and preventing internet exposure.
- Restrict administrative database access through strong authentication and network controls.
- Deploy runtime threat detection capable of identifying malicious database behavior.
- Implement outbound network controls to prevent compromised systems communicating with attacker infrastructure.
- Monitor for indicators of compromise, including scheduled outbound beaconing activity and the infrastructure identified during the investigation.
While the techniques used throughout the campaign were individually well known, the way an AI agent combined them into a complete attack lifecycle without requiring continuous human control is significant, Sysdig argued.
If similar capabilities become widely available, organizations may need to prepare for a future where sophisticated ransomware campaigns can be launched at machine speed and on a larger scale than has previously been possible.