a daily news desk
Deployments

JADEPUFFER: Sysdig flags first ransomware campaign run end-to-end by an LLM agent

An autonomous agent chained a Langflow RCE, credential reuse and a Nacos wipe against a production database — with a human still somewhere upstream.

Sysdig’s Threat Research Team says a ransomware operator it’s calling JADEPUFFER ran an entire intrusion end-to-end through an LLM agent, from initial access to extortion note. If the writeup holds up, it’s the first publicly documented case of the full kill chain being driven by a model rather than a human at a keyboard.

The mechanics are almost mundane. The agent gained a foothold through CVE-2025-3248, an unauthenticated RCE in Langflow, then installed a cron job beaconing back to attacker infrastructure every 30 minutes. From there it pivoted to a production MySQL server running Alibaba’s Nacos configuration service, using root credentials whose origin Sysdig couldn’t determine. It exploited CVE-2021-29441 to spawn rogue admin accounts in Nacos, encrypted 1,342 service configuration items, deleted the originals, and dropped the note.

None of that’s novel on its own. Johan Edholm, co-founder of Detectify, told Dark Reading the attack was “more evolution than invention.” What’s new is the operator.

Sysdig’s evidence for agency is behavioral: self-narrating payloads, more than 600 distinct purposeful payloads inside a compressed window, and real-time adaptation. In one sequence, Michael Clark, Sysdig’s senior director of threat research, said the agent “went from a failed login to a working fix in 31 seconds.” His broader read: “an LLM agent can chain reconnaissance, credential theft, lateral movement, persistence, and destruction without the operator possessing deep expertise in any one step.”

That last clause is where the labor economics of intrusion tilt. TechCrunch pushed back on the “no human at the keyboard” framing, and Clark confirmed to CyberScoop that a human was still involved upstream. Sysdig was also unable to identify the specific model or its system prompt. Geoff McDonald, a Microsoft researcher, speculated on LinkedIn, drawing on his own red-teaming work, that an open-weight model with safety training stripped out is a likelier candidate than a frontier system.

The uncomfortable read is that the deskilling story arrived before the model-attribution story did. Defenders now have to treat exposed app servers, config stores, and internet-facing database admin accounts as the primary attack surface for operators who don’t need to know what they’re doing.

Sources