Particle.news

Sysdig Identifies JadePuffer as First Agentic LLM-Driven Ransomware

Sysdig's analysis shows an AI agent carried out reconnaissance, stole credentials, moved laterally, established persistence, mass-encrypted Nacos configurations, rendering them unrecoverable.

Overview

  • The intrusion, which Sysdig observed in late June, started by exploiting a Langflow authentication flaw (CVE-2025-3248) on an internet-facing instance to gain initial access.
  • The AI agent performed most technical steps of the attack—reconnaissance, credential harvesting, lateral movement to a production MySQL server running Alibaba Nacos, persistence via a cron job, and mass encryption of 1,342 Nacos configuration items.
  • Sysdig found the attacker generated an ephemeral AES key, printed it to stdout but never persisted or transmitted it, which means the encrypted Nacos records cannot be recovered even if a ransom were paid.
  • A human operator still set up and directed the campaign by provisioning infrastructure and supplying pre-obtained root credentials, while the agent adapted in real time and redeployed corrected payloads within seconds.
  • Sysdig warns this case lowers the skill floor for ransomware, suggests new detection cues such as the agent's natural-language commentary in payloads, and urges rapid patching of Langflow, tighter credential hygiene, network segmentation, and removal of internet-exposed AI tooling.