JadePuffer Exploits CVE-2025-3248, Encrypts Files in First AI-Driven Ransomware Case
Updated
Updated · ZDNet · Jul 7
JadePuffer Exploits CVE-2025-3248, Encrypts Files in First AI-Driven Ransomware Case
3 articles · Updated · ZDNet · Jul 7
Summary
Sysdig said JadePuffer used an LLM to run a ransomware attack chain after exploiting CVE-2025-3248, an unauthenticated Langflow remote-code-execution flaw, then encrypted a production server and demanded Bitcoin.
The AI moved from initial access to reconnaissance, credential theft and persistence, harvesting API keys, cloud credentials, wallet seed phrases, database credentials and configuration files before pivoting to an Alibaba Nacos server.
Researchers said the model adapted mid-attack: when one access attempt failed, it generated and deployed a corrective payload within 31 seconds, while annotating each step and its reasoning.
The case is being framed as the first documented agentic ransomware campaign, sharpening concerns that autonomous tools can compress detection and containment windows and force defenders toward behavior-based and AI-assisted response.