Skip to content
feed: live about
>_ 0dayNews
ransomware
● Breaking

Sysdig: JADEPUFFER ran a full ransomware chain from one LLM

Sysdig's Threat Research Team says JADEPUFFER is the first ransomware incident it has observed where an AI agent handled entry, credential theft, lateral movement, and destruction end-to-end. Initial access was a Langflow code-execution flaw.

Sysdig: JADEPUFFER ran a full ransomware chain from one LLM
Image: 0dayNews / 0dayNews Editorial · All rights reserved
airgap · Published · 3 min read

Confirmed reporting by Sysdig. Attribution to a specific actor group: unconfirmed — treat accordingly. Sysdig’s Threat Research Team, via The Hacker News on July 2, says it has documented what it believes is the first ransomware incident run start-to-finish by an AI agent. Sysdig calls the operator JADEPUFFER. A large language model, they say, handled the whole job: breaking in, stealing credentials, moving laterally, then encrypting and wiping the victim’s production database.

What Sysdig reported

  • Initial access: an unauthenticated code-execution flaw in a public-facing Langflow instance. Langflow is an open-source visual builder for LLM workflows and agents; a well-documented RCE in its code-execution API has been under active exploitation since 2025 and is already on the CISA KEV catalog. Sysdig’s chain used that same exposure — an internet-reachable Langflow, unpatched.
  • Credential access and lateral movement: the agent enumerated the host, pulled credentials, and pivoted into the wider environment. Confidence: high as Sysdig reports it; not independently corroborated.
  • Impact: encryption of a production database, followed by data destruction. Sysdig describes the endgame as ransom-plus-wipe, not a straight extortion play.
  • Operator: JADEPUFFER, per Sysdig’s naming. Attribution to a known crew, nation, or affiliate program: not stated. Treat as an operator handle, not a group.

The novel part

Ransomware crews have used LLMs before — writing lures, translating extortion notes, cleaning up scripts. That’s the boring end. What Sysdig is claiming here is that a single LLM-driven agent handled the operational loop: pick the target, deliver the payload, harvest creds, decide where to move, encrypt, wipe. No human at the keyboard between the initial exploit and the ransom message, in Sysdig’s telling.

That matters for two reasons.

One: the tradecraft floor drops. Chained-agent operators don’t need the years of hands-on experience that make an Anubis affiliate or a FortiBleed-linked crew dangerous. They need an unpatched entry point and enough API credits.

Two: the timeline compresses. Human-driven intrusions take days between initial access and encryption. An agent that never sleeps, doesn’t context-switch, and doesn’t wait for a shift change closes that window. Detection windows built around “we’ll see the recon before the encryption” assumptions get shorter.

Both points are inference from Sysdig’s writeup. Analysis — labeled.

What actually changes for defenders

Same fundamentals, tighter timing.

  • Patch the LLM-tooling stack like the perimeter it now is. Langflow, LangChain servers, agent orchestrators, notebook servers, MLflow, Ray — anything shipping a code-execution surface reachable from the internet. If the platform team stood it up on a public VPC “just for the pilot,” that’s the box you want off the internet this week. Not next quarter.
  • Assume the Langflow flaw is already exploited if you’re behind on it. Sysdig has been reporting Langflow-adjacent activity for months. If your instance is exposed and unpatched, treat as compromised until you can prove otherwise from logs.
  • Rebuild your ransomware runbook around a shorter dwell window. Detection-in-depth still works, but the “we’ll catch it in the recon phase” assumption is a coin flip when an agent can enumerate and pivot in minutes.
  • Log the LLM you host. If you run Langflow or a comparable agent framework, capture the prompt/completion pairs and tool-call traces. That’s the incident-response timeline when the attacker IS the agent.
  • Watch outbound API usage from your model-hosting subnets. An agent orchestrated through a public LLM API leaves the same fingerprint on your egress as any other high-volume automation. That’s a detection you can build today.

What we don’t know yet

  • Which model. Sysdig has not (yet) named the LLM the agent ran on. Public inference API or self-hosted is not stated. Unconfirmed.
  • Victim identity, sector, geography. Not disclosed.
  • Ransom demand or payment. Not disclosed.
  • Whether the destruction was intentional strategy or model behavior. An LLM-driven agent that “wipes and encrypts” the same store is not obviously optimal ransomware tradecraft. Could be strategy; could be an agent following instructions loosely. Sysdig’s writeup, as summarized, does not resolve this. Analysis — labeled.

Sourcing

Found this useful? Share it.