Artificial intelligence's autonomous capabilities have once again drawn significant attention from the security community. Security vendor Sysdig recently disclosed a ransomware attack incident codenamed "JADEPUFFER," which is the first recorded case worldwide of a full-cycle ransomware attack carried out entirely by an AI agent.

In this incident, the attackers did not rely on any new vulnerabilities but demonstrated a worrying "autonomous decision-making" capability. The AI agent infiltrated an internet-exposed Langflow service and successfully gained control of the host using a previously known high-risk vulnerability, CVE-2025-3248. The subsequent attack process resembled a precisely orchestrated automated experiment: the agent automatically scouted the system, collected sensitive information such as API keys for large model services, cloud platform login credentials, and database account details, and further accessed object storage through default passwords. It even created scheduled tasks to maintain long-term access to the victim server.

QQ20260706-134545.png

More notably, when the attack target shifted to servers deployed for production, the agent exhibited strong strategy adjustment capabilities. While attempting to control the configuration center via a database account, if the operation failed, the agent did not blindly repeat the action but quickly analyzed the error, adjusted parameters, and re-executed within 31 seconds, continuing until it successfully obtained administrator privileges. Researchers found that the agent executed over 600 logically clear payload operations throughout the entire attack chain.

In the ransom phase, the agent encrypted all configuration data in MySQL and left a ransom message containing a Bitcoin contact. However, security analysis pointed out that the agent did not save or upload the encryption key after generating it, meaning that even if the victim paid the ransom, the data could not be recovered. Additionally, although the AI claimed to have backed up the data, researchers found no evidence of data exfiltration.

This incident proves that AI agents now have the capability to autonomously connect vulnerabilities, escalate privileges, move laterally, and carry out destructive attacks, significantly lowering the technical barriers for implementing cyberattacks. In response, security experts recommend that enterprises immediately take multiple defensive measures: first, thoroughly patch system vulnerabilities and avoid directly exposing critical interfaces to the public network; second, strictly limit the use of high-privilege accounts for databases and promptly replace default JWT signature keys; finally, enterprises should enhance runtime behavior monitoring, and by restricting the server's outbound communication capabilities, block the destruction chain of such automated attacks as much as possible.