Researchers say LLM-driven ransomware campaign showed new level of automation

Sysdig threat researchers have described what they say is the first documented ransomware operation in which a large language model, rather than a human operator, handled the full attack chain from in...

Sysdig threat researchers have described what they say is the first documented ransomware operation in which a large language model, rather than a human operator, handled the full attack chain from initial access through data destruction and extortion.

The campaign, which the company tracks as JadePuffer, reportedly began with exploitation of CVE-2025-3248 in an internet-facing Langflow instance. That flaw is a missing authentication issue that can let remote attackers run arbitrary Python code on the host. From there, the automated intruder scanned the environment for secrets, including cloud credentials, API keys, cryptocurrency wallets and database logins.

Automated targeting and persistence

According to Sysdig, the malware-like workflow showed signs of LLM-generated reasoning and task planning, including self-narrating steps and rapid retries when actions failed. In one example cited by the researchers, the system moved from a failed login attempt to a successful workaround in just over half a minute.

The campaign also established persistence by adding a scheduled task to contact attacker-controlled infrastructure every 30 minutes. Sysdig said the actor then pivoted to another exposed production server hosting MySQL and Alibaba Nacos, a service-discovery and configuration platform used in cloud environments.

On that system, the intruder used root database access, then attacked Nacos through multiple routes, including an authorization bypass issue and a forged JSON web token generated with the default signing key. Researchers said the attacker also inserted a backdoor administrator account into the Nacos database.

Encryption and extortion

Sysdig said the operation encrypted 1,342 Nacos configuration records using MySQL’s AES encryption function and produced a ransom note, Bitcoin address and Proton Mail contact. The note claimed customer data and personal information had been encrypted.

The researchers warned that recovery may be impossible even if a victim paid, because the automated process reportedly deleted data at the schema level without preserving usable backups.

Sysdig urged defenders to patch Langflow to address CVE-2025-3248, avoid exposing code-execution services to the internet, keep Nacos off public-facing networks, replace default signing keys, and remove provider API keys and cloud credentials from AI orchestration environments.

While the techniques used in the incident were not especially novel, Sysdig said the significance lies in how an LLM combined them into a complete ransomware workflow against neglected internet-facing systems.