TL;DR
- Sysdig reports the JadePuffer campaign as the first fully agentic ransomware attack—an LLM-driven agent exploited CVE-2025-3248 and carried out the rest of the attack on its own, retrying failed steps to boost success.
- It’s not as automated as headlines suggest: Expel’s Aaron Walton points out a human operator still directs the LLM, and this one looks distinctly unskilled—no stored decryption keys, no bitcoin address for extortion.
- The takeaway for defenders is the same as always: the fundamentals still matter, and accountability still traces back to the human behind the agent, not the AI itself.
This morning, July 6, 2026, Infosecurity Magazine dropped an article: “Researchers claim first fully agentic ransomware: JadePuffer,” based on research from Sysdig, a cloud security firm.
The lead? Sysdig says JadePuffer actor is the first to run a ransomware attack completely driven by a large language model (LLM). In this attack, the actor exploits CVE-2025-3248 and uses an LLM to carry out the remainder of the ransomware attack via an agent, not a human-driven toolkit. The agent also autonomously retried the steps of its attack upon failure, increasing its own success rate, according to the research.
Why this matters
It’s not what you think—yes, self-driving agentic attacks sound scary, but this isn’t the end. In fact, what’s most important here is stepping back and looking at the bigger picture.
Senior Threat Intelligence Aaron Walton makes a great point:
“My biggest concern about the JadePuffer campaign is that many second hand reports focus only on the LLM and lose sight of the operator. Sysdig themselves named the operator ‘JadePuffer,’ but the label is getting applied to the agent and the actions of the LLM.
“The distinction is important in as much as the LLM isn’t operating on its own, but is directed by a human operator. And in this case, the human operator appears unskilled: they unleashed the LLM to encrypt a system without ensuring the keys were stored for decryption, and they didn’t provide their bitcoin address for extortion. This behavior is similar to that of an amateur.
“Forgetting the human operator risks blaming AI/LLMs rather than the people operating them. It also risks causing fear that these attacks are fully automated, choosing targets on their own. Right now they are still controlled and directed by bad actors, who can be held accountable.”
TL;DR? It’s still all about the fundamentals, whether you’re an attacker or a defender. And in this case, the fundamentals of this attack still point back to humans, and it’s important to remember that distinction.
