Threat Advisory Special Report: Dark AI
Dark AI and shadow AI are reshaping enterprise risk. UltraViolet's TIDE Team breaks down the threats, the exposure, and what security leaders should do now.
Find flaws in AI Systems
Find flaws in web, mobile, and IoT applications.
Live-fire exercises to sharpen detection and response.
Time-boxed security assessments across networks, apps, and infrastructure.
Simulated attacks to test detection and incident response.
Named security experts integrated seamlessly into your team.
Real-time detection and automated threat response.
24x7 monitoring and response by expert analysts.
Detection-focused SIEM migration without visibility gaps.
UltraViolet's proprietary AI platform powering all application penetration testing.
Unified security platform powering all UV services.
Cross-platform toolkit for advanced red team ops.
UltraViolet Cyber provides security services across the AI lifecycle, combining strategy, threat modeling, adversarial testing, monitoring, and training to support secure AI adoption.
Learn how a major U.S. airport operator achieved 24/7 threat detection, improved security maturity, and ...
Secure your code, infrastructure, and deployment pipelines before attackers exploit them.
Inside Solstice, UltraViolet Cyber's AI-augmented application penetration testing platform: how the two-lane engagement ...
AI Governance by DesignAn Architecture-Aware Approach for Embedding Governance into AI Systems
UltraViolet Cyber is a practitioner-led MSSP delivering offensive and defensive security to Global 2000 and Federal clients. Built by former intelligence operators, we unify application security, red teaming, detection, and engineering under one roof. Our UV Lens platform replaces silos with integrated, outcome-driven operations.
UltraViolet Cyber
July 8, 2026
Researchers at Sysdig's Threat Research Team have documented what is assessed to be the first known case of a ransomware operation run entirely by an autonomous large language model, with no human operator directing any phase of the attack. The actor, designated JADEPUFFER, moved through reconnaissance, credential harvesting, lateral movement, data encryption, and extortion as a continuous, self-directed sequence. The significance here is not technical novelty, since the underlying methods are well-worn, but architectural: an AI agent replaced the human element that ransomware has always required.
The environments targeted shared a recognizable profile: AI-adjacent infrastructure left internet-facing, legacy services running on default or unchanged credentials, and known vulnerabilities that had gone unaddressed. That profile is not rare. It describes a wide cross-section of organizations that have scaled their technology footprint faster than their security practices. JADEPUFFER found and exploited exactly that gap, and it did so without a specialist operator guiding each step.
The takeaway for stakeholders is straightforward: the conditions that made this attack possible are common, the tooling that enabled it will only become more accessible, and waiting for greater sophistication before responding is not a viable posture.
What UltraViolet Cyber is Doing
JADEPUFFER is categorized as an Agentic Threat Actor, which is a classification applied when an AI agent, rather than a human or a fixed automated script, serves as the primary driver of offensive activity. The campaign proceeded in two phases against two distinct targets, with the first system compromised specifically as a pathway into the second.
Initial access was established by exploiting CVE-2025-3248, an unauthenticated code execution flaw in the Langflow platform. Langflow is an open-source framework used to build AI-driven applications and agent workflows, and it sits in an attractive position for attackers: deployments routinely carry API keys for major AI providers, cloud platform credentials, and internal service configurations as part of normal operations, often without the network controls or secrets hygiene applied to traditional production systems. Once execution was achieved, the agent performed systematic host profiling and conducted a parallel sweep of the environment for multiple secret categories. These include AI provider keys, credentials for cloud platforms spanning both major Western providers and several Chinese services, database connection strings, and cryptocurrency-related files.
The agent then extracted data directly from Langflow's own database backend, gathering stored credentials and user account information, before probing the internal network for adjacent services. A MinIO object storage instance was reached at its default internal address using the service's default administrative credentials. The agent worked through the available storage buckets methodically, ultimately retrieving configuration and credential files whose names suggested high value. Before moving on, a persistence mechanism was installed via the system scheduler, configuring recurring outbound contact with attacker-controlled infrastructure.
The production server targeted in the second phase ran a MySQL database alongside an Alibaba Nacos instance (a service discovery and configuration management platform with a documented history of authentication weaknesses). The default cryptographic signing key used by Nacos for session tokens has been publicly known for years and remains unchanged in many deployments, allowing an attacker to forge valid administrative credentials without any access to the system. The agent pursued access through several simultaneous methods: leveraging the known authentication bypass vulnerability class, constructing forged tokens using the default key, and inserting a backdoor administrator account directly into the Nacos database through the root-privileged MySQL connection it already held.
An initial attempt to create this backdoor account failed because of a library dependency issue. The agent identified the specific cause, constructed a corrected approach, and had a functioning account within roughly half a minute with no human guidance nor external intervention. Once administrative access was confirmed, the agent encrypted the full set of Nacos service configuration records using a database-native encryption function, removed the original data tables along with historical records, and created an extortion notice inside the database containing a Bitcoin payment address and contact information. The encryption key used was randomly generated, appeared once in the agent's execution output, and was discarded. This in turn left the victim with no path to recovery even if a ransom was to be paid. The agent then proceeded to drop entire database schemas, selecting targets based on apparent data value.
Several behavioral characteristics collectively support the assessment that this operation was driven by an autonomous AI model rather than human direction or scripted tooling. Throughout the operation, the agent produced code annotated with natural-language explanations, such as describing the reasoning behind target selection, estimating the relative value of different databases, and narrating what each step was intended to accomplish. This kind of self-commentary appears naturally in AI-generated code and is essentially absent from human-written attack tooling. More telling still was the pattern of error handling: each time a step failed, the agent's next action corrected the specific underlying cause rather than issuing a generic retry. A database drop blocked by a referential integrity constraint was followed immediately by a payload that suspended that constraint, completed the drop, and restored the original setting. The total operation encompassed several hundred distinct payloads executed within a condensed window, with a coherence and adaptive quality inconsistent with either a human operator or a prewritten script.
The practical barrier to running a ransomware operation has historically been human expertise. Chaining together exploitation, internal navigation, persistence, and data destruction required either a skilled operator or a team that could cover those disciplines collectively. JADEPUFFER removes that requirement. An AI agent can now work through each of those phases autonomously, meaning an operator no longer needs to understand what they are doing at any individual step since they only need to configure the agent and point it at a target. When the compute cost of running that agent is covered by stolen credentials, the financial barrier disappears alongside the technical one.
The victim profile in this campaign carries a direct implication for organizations assessing their own exposure. The systems compromised were not obscure or unusually difficult to secure. Instead, they were internet-facing AI infrastructure with a known unpatched vulnerability, a configuration service still using a default signing key that has been publicly documented for years, and internal storage accessible with credentials that had never been changed from factory defaults. These conditions exist broadly across organizations that have prioritized deployment speed over security rigor, particularly in the AI and cloud-native infrastructure space where tooling is adopted quickly and hardening practices often lag. The shift to agentic attackers means that the historical assumption that neglected but obscure systems are unlikely to be targeted no longer holds. An agent can work through the full catalog of known vulnerabilities across all exposed systems at negligible cost per attempt.
AI infrastructure itself has become a primary attack surface that many organizations have not yet incorporated into their formal threat models. Platforms used to build and orchestrate AI applications tend to accumulate sensitive credentials as a byproduct of their function, such as keys for commercial AI services, access credentials for cloud environments, database connection strings, and infrastructure configuration data. A single compromised node of this type can give an attacker everything needed to reach production systems, as JADEPUFFER demonstrated by moving from a Langflow server to a production database without acquiring any additional access through external means.
The temporal dimension of this threat also warrants attention. Security programs built around human-paced review cycles (e.g., monthly, quarterly) are structurally mismatched to an attacker that can complete an entire extortion cycle within a single session and correct failed steps in under a minute. Criminal actors face no procurement delays, compliance reviews, or organizational approval processes when adopting new tooling. As agentic offensive capabilities become more packaged and accessible, adoption across the threat actor spectrum will be rapid, and the window between a new capability emerging and it being used at scale against common infrastructure will compress further.
We’re here to help. Get in touch for an initial conversation with one of our security experts and learn more about how UltraViolet Cyber can help you take cyber readiness and resilience to new levels.