
Cybersecurity researchers have documented what they describe as the first known case of agentic ransomware, an attack in which an AI agent carried out the technical steps of a ransomware operation and adjusted its actions when something failed.
Considered an agentic threat actor (ATA), JadePuffer was analyzed by Sysdig’s Threat Research Team. According to the researchers, the AI agent exploited a known vulnerability in an internet-facing Langflow instance, moved through the victim’s environment, encrypted data, and generated a ransom note.
How JadePuffer Entered The System
The attack began with the exploitation of CVE-2025-3248, a missing-authentication flaw in Langflow that allowed unauthenticated remote code execution. Once inside, the AI agent conducted reconnaissance and searched the environment for valuable credentials.
Sysdig reported that the agent harvested API keys, cloud credentials, database configurations, and cryptocurrency wallet information. The company’s research team also noted that the techniques used were not new, and that the significance of the incident remains the way the AI agent combined these steps into a continuous attack chain.
The Self-Correction Moment
One detail drew particular attention from researchers. During the intrusion, the AI agent encountered a failed login attempt. Instead of stopping or waiting for human intervention, it diagnosed the problem, rewrote the exploit code, and retried the authentication process successfully in about 31 seconds.
This behavior is why JadePuffer has been described as adaptive. The agent did not simply execute a fixed script; it responded to an obstacle, modified its approach, and continued the attack.
What the Attack Accomplished
After gaining further access, the AI agent moved laterally through the target’s network and established persistence. It then targeted a production database server and executed a destructive extortion playbook.
Sysdig said the operation encrypted 1,342 configuration records, dropped database tables, and left behind a ransom note generated by the AI agent. The ransom note included payment instructions and a cryptocurrency address.
The researchers also observed that the attack involved more than 600 distinct payloads during a compressed time frame. Many of these payloads included natural-language commentary that explained the agent’s reasoning as it selected targets and carried out actions.
Why Researchers Say it Matters
What made this JadePuffer case notable was the automation of the decision-making process. The AI agent was able to plan, execute, and adjust the technical stages of the ransomware operation without a human operator manually directing each individual step.
Researchers have also clarified that the attack was not fully autonomous from start to finish. A human was still involved in selecting the target and preparing the attack infrastructure before the AI agent began its technical execution.
That distinction is important because it shows the current state of AI-assisted cyberattacks. JadePuffer demonstrates that while AI can automate and adapt portions of a ransomware campaign, it does not eliminate human involvement entirely.
What Organizations Should Focus On
The JadePuffer case highlights the importance of basic security practices. Organizations should prioritize patching known vulnerabilities, restricting access to internet-facing services, securing credentials, and monitoring for unusual behavior in runtime environments.
Because adaptive AI-driven attacks can modify their approach during execution, researchers say behavioral detection and runtime monitoring may become increasingly important for identifying threats that do not match known static signatures.
JadePuffer serves as a documented example of how AI is beginning to change the speed and adaptability of ransomware operations.
