Artificial intelligence is claiming many firsts as it permeates every layer of technology, including the tools cybercriminals use to break into networks, steal sensitive data, hop into connected systems and deploy malware. 

This includes, for the first time, according to Sysdig researchers, a case of agentic ransomware managing an extortion operation spanning reconnaissance, credential theft, lateral movement, persistence, encryption, destruction and the delivery of the ransom note itself.

The AI agent didn’t accomplish every step in the late June 2026 attack, but it allowed the threat actor, which Sysdig tracks as JadePuffer, to significantly reduce complexity, speed up the tempo and gain operational advantages. 

“We have seen attackers script attacks for years, and we have seen AI speed up individual steps of attack chains,” Michael Clark, senior director of threat research at Sysdig, told CyberScoop. However, this recent attack was “driven end-to-end by the model’s own decision-making, rather than a human at the keyboard,” he added.

The AI-aided attack achieved initial access by exploiting a Langflow vulnerability — CVE-2025-3248 — before moving on to its intended target: a production server running MySQL and Alibaba Nacos. 

Sysdig observed multiple factors that bolstered what it described as the first documented use of agentic ransomware.

The payloads involved in the attack narrated their objectives in plain language and identified high-value databases, details that large-language models annotate by default, according to Clark. The AI agent also quickly diagnosed problems and worked around obstacles — in one case redeploying a corrected payload 31 seconds after it originally encountered an error.

Before it was all over, the AI agent ran more than 600 distinct, purposeful payloads in rapid succession.

“The model closed loops that used to require a skilled human,” Clark said. “The 31-second failure-to-fix cycle on the Nacos backdoor is the clearest example of where agentic AI gave the attacker an advantage. The agent read the error, switched its approach from subprocess calls to direct library imports, and redeployed at a speed no human matches.”

Sysdig researchers found evidence that multiple models were used in the attack. The agent accessed keys for OpenAI, Anthropic, DeepSeek and Gemini as it gathered information on the victim’s systems. The cybersecurity vendor did not name the victim.

The AI agent played a crucial role in the attack, but a person was still heavily involved, Clark said. “A human still set up and pointed the operation and provisioned the infrastructure behind it, the command-and-control server, the staging server used for the stolen data and chose a victim,” he added.

The agent also connected to the victim’s MySQL server with root credentials that were not lifted from the victim’s environment, indicating a person gained access to the credential through a prior compromise. 

The origins of JadePuffer, a financially motivated threat actor, are unknown and it doesn’t overlap with any established ransomware group or nation state, researchers said.

For Clark, there is a clear uncomfortable takeaway from this attack: “The skill floor for running a full ransomware operation just dropped to whatever it costs to run an agent,” he said. 

“We have not yet seen operations against other victims, and given how cheap this agentic ransomware operation is to run, I would expect this will not be the last.”

The post Sysdig clocks first documented case of agentic ransomware appeared first on CyberScoop.