Decoding the world of cybersecurity

JadePuffer makes agentic ransomware concrete

Sysdig says JadePuffer used an LLM-driven agent to conduct database extortion after exploiting Langflow and chaining routine techniques at speed.

JadePuffer makes agentic ransomware concrete
Summary
  • Sysdig says JadePuffer is the first documented agentic ransomware operation it has observed.
  • The attack exploited an exposed Langflow instance using CVE-2025-3248 and moved toward a production database server.
  • The case shows how AI agents may lower the skill threshold for chaining known weaknesses into extortion activity.

Sysdig says it has observed an agentic ransomware operation in which an LLM-driven operator chained reconnaissance, credential discovery, lateral movement, and destructive database extortion activity.

The company’s threat research team has named the activity JadePuffer. Its analysis says the operation began with exploitation of CVE-2025-3248 in an internet-facing Langflow instance. Langflow is an open-source framework used for building LLM applications and agent workflows.

Sysdig says the attack unfolded across two targets: the exposed Langflow instance used for initial access and a separate production database server that became the objective. Payloads were delivered as Base64-encoded Python through the Langflow remote-code-execution endpoint. The agent then enumerated the host, searched for credentials and API keys, examined databases and configuration material, scanned internal services, and attempted to reach storage and database infrastructure.

The company’s conclusion that the operation was LLM-driven is based on multiple lines of evidence, including self-narrating payloads, natural language reasoning embedded in code, target prioritisation, and adaptive retries. Sysdig also said the agent’s claim that data had been backed up before destructive database commands was not independently verified. The encryption key was ephemeral and unrecoverable, meaning payment would not have restored the victim’s data.

The technical components were not individually novel. The risk comes from how quickly an agent combined exposed AI infrastructure, credential searching, internal enumeration, service probing, persistence, database manipulation, and extortion logic into a coherent attack chain.

UK and European organisations are deploying AI application frameworks, orchestration tools, model gateways, vector databases, prompt tooling, and cloud connectors at speed. These systems often hold API keys, cloud credentials, database secrets, and integration tokens. If they are exposed to the internet or deployed without basic isolation, they become attractive entry points.

Agentic ransomware also changes detection assumptions. Human operator behaviour, timing, and tradecraft may not apply where an agent can enumerate, retry, and adapt quickly. Sysdig’s finding that LLM-generated payloads may narrate their own intent also creates detection opportunities where logs capture command content, code comments, or unusual tool calls.

The governance issue is immediate. AI infrastructure should be treated as production infrastructure, even when it begins as an experiment. It needs asset ownership, patching, authentication, network controls, secrets management, logging, monitoring, and incident response coverage. Shadow AI services with live credentials may become an exposed development surface.

Sysdig has described JadePuffer as the first documented case of agentic ransomware it has captured. Other cases may exist outside public reporting, but this example provides an evidence-backed view of how agentic systems can automate the path from an exposed AI development framework into extortion-style damage.

AI application security can no longer sit apart from cloud security, software security, and identity governance. The tools used to build agentic systems are themselves becoming part of the attack surface.

×