Sysdig's Threat Research Team published research in July 2026 documenting JADEPUFFER, the first ransomware operation fully executed by an LLM agent — no human operator required at any step after initial access.
Sysdig's Threat Research Team published research in July 2026 documenting JADEPUFFER, the first ransomware operation fully executed by an LLM agent — no human operator required at any step after initial access.
Check Point Research demonstrated that a frontier AI model independently discovered a viable ransomware attack path using Chrome's File System Access API — no native payload, no exploited vulnerability, no root access required.
Check Point Research demonstrates a complete browser-based ransomware chain requiring no native payload or installation. A fake AI enhancement tool tricks users into granting File System Access API permissions, then enumerates, exfiltrates, and encrypts local files entirely within the browser. DeepSeek showed significantly weaker resistance to generating this technique than OpenAI or Anthropic models.
Sophos researchers uncovered an operational threat actor lab using Claude Opus 4.5, Cursor, and MCP to build and test EDR evasion malware against live Sophos, CrowdStrike, and Microsoft Defender installations.
GhostCircuit is a RaaS operation that integrated LLM tooling into its post-compromise reconnaissance, dramatically reducing time from initial access to ransomware deployment.