An AI agent is said to have independently executed a complete ransomware attack.

An AI agent is said to have independently executed a complete ransomware attack.

      Cybersecurity researchers have reported what might be the first ransomware attack almost entirely executed by an autonomous AI agent, indicating a significant evolution in the nature of cyberattacks. The cloud security company Sysdig has identified a ransomware operation named JadePuffer, which seems to have utilized a large language model (LLM) agent to conduct nearly every phase of the attack without ongoing human assistance.

      If validated, this event implies that AI is advancing from merely generating malicious code to actively strategizing, adapting, and executing cyberattacks in real time.

      JadePuffer demonstrated adaptability similar to human hackers.

      Sysdig's investigation revealed that JadePuffer started by leveraging CVE-2025-3248, a remote code execution vulnerability in Langflow, an open-source framework for building LLM-based applications. This flaw, which was patched in April 2025, was subsequently included in the US Cybersecurity and Infrastructure Security Agency’s (CISA) list of vulnerabilities known to be exploited in practice.

      After infiltrating the system, the AI agent reportedly executed a comprehensive attack chain typically associated with skilled human operators. It gathered host information, sought credentials and sensitive files, extracted cloud secrets, and mapped storage resources before moving laterally through the victim's infrastructure.

      What was particularly noteworthy was not just the automation but the agent's adaptability.

      The Sysdig report indicated that the researchers noticed the AI agent dynamically responding to certain command failures. For instance, when the malware received an unexpected XML response while querying a MinIO object store, rather than failing, the agent adjusted its parsing logic and attempted again using a different method. Researchers also noted an automatic correction of a failed login attempt that occurred within 31 seconds, without any human intervention.

      The AI subsequently established persistence by creating scheduled cron jobs and then moved to a production server running Alibaba Nacos, where it exploited CVE-2021-29441 to create unauthorized administrator accounts. It ultimately encrypted 1,342 Nacos configuration records, deleted the original data, and replaced it with a ransom note demanding Bitcoin payment.

      Interestingly, researchers discovered several indicators that suggested the operation was AI-generated. The malicious code included unusually detailed natural-language comments explaining its logic, while the ransom note referenced a Bitcoin wallet commonly featured as an example in documentation, rather than a legitimate payment address. Sysdig also suspects that the malware likely employed AES-128 in ECB mode, despite claiming to utilize AES-256 encryption.

      These findings emerge as cybersecurity professionals increasingly caution about the rise of agentic AI, which allows AI systems to autonomously plan and carry out complex tasks instead of merely reacting to prompts. Although JadePuffer exploited known vulnerabilities rather than creating new attack techniques, its capacity to independently conduct reconnaissance, privilege escalation, persistence, and ransomware deployment signifies a considerable advancement in offensive AI capabilities.

      Sysdig asserts that this incident illustrates that “agentic threat actors” have effectively appeared, potentially reducing the technical skills needed to execute advanced cyberattacks. Moreover, researchers point out that AI-generated attacks might also exhibit distinct behavioral patterns and coding traits that defenders can leverage to develop new detection strategies.

      For organizations, the report serves as an important reminder that maintaining internet-facing systems and securing cloud credentials is crucial, even as the landscape of attackers evolves.

An AI agent is said to have independently executed a complete ransomware attack. An AI agent is said to have independently executed a complete ransomware attack.

Other articles

Novartis acquires the UK biotech Myricx for as much as $1.5 billion in pursuit of a new class of cancer treatments. Novartis acquires the UK biotech Myricx for as much as $1.5 billion in pursuit of a new class of cancer treatments. Novartis will provide $1.1 billion upfront and up to $400 million based on milestones for Myricx Bio, a UK company working on a new payload for antibody-drug conjugates. China's Biren secures $892 million to compete with Nvidia. China's Biren secures $892 million to compete with Nvidia. Shanghai Biren is offering HK$7 billion (approximately $892 million) in new shares to facilitate the mass production of its upcoming GPUs, as US restrictions on Nvidia present an opportunity for China's chip manufacturers. The energy tax associated with AI was already worrying. Studies indicate that AI agents are over a hundred times more detrimental. The energy tax associated with AI was already worrying. Studies indicate that AI agents are over a hundred times more detrimental. A study from KAIST shows that AI agents use significantly more energy than traditional AI, emphasizing an increasing issue for data centers and forthcoming AI infrastructure. Novartis acquires UK biotech Myricx for as much as $1.5 billion to pursue a new class of cancer drugs. Novartis acquires UK biotech Myricx for as much as $1.5 billion to pursue a new class of cancer drugs. Novartis will provide an initial payment of $1.1 billion and potential milestone payments of up to $400 million for Myricx Bio, a UK-based company working on an innovative payload for antibody-drug conjugates. The energy consumption of AI was already troubling. Studies indicate that AI agents are over a hundred times more energy-intensive. The energy consumption of AI was already troubling. Studies indicate that AI agents are over a hundred times more energy-intensive. A study conducted by KAIST indicates that AI agents use significantly more energy compared to traditional AI, underscoring an increasing issue for data centers and the future of AI infrastructure. The Washington Post forecasted technological advancements 50 years ago, and the accuracy of those predictions is quite humbling. The Washington Post forecasted technological advancements 50 years ago, and the accuracy of those predictions is quite humbling. The Washington Post revisited a 1976 article that predicted life in 2026, highlighting the accuracy of its forecasts concerning smartphones, solar energy, gene editing, and various other technological advancements.

An AI agent is said to have independently executed a complete ransomware attack.

Security experts report that an autonomous AI agent conducted a full ransomware attack, adjusting to obstacles and performing the intrusion with little human involvement.