Logo
FrontierNews.ai

Why Chinese AI Models Are Now Powering Ransomware Attacks

Chinese-developed artificial intelligence models have closed the gap with U.S. frontier systems enough to power autonomous ransomware attacks, security researchers warn. Models including DeepSeek, Qwen, Kimi, and GLM can now run the same reasoning and decision-making tasks required for agentic attacks, according to analysis from the Center for Strategic and International Studies. This shift means attackers no longer need access to expensive commercial AI services; they can run stripped-down versions of these models locally on commodity hardware, avoiding billing accounts, provider policies, and abuse detection systems entirely.

What Makes Chinese Open-Weight Models a Security Concern?

The first documented agentic ransomware operation, called JadePuffer, demonstrated how an AI agent could autonomously navigate a target network, diagnose failures, and correct itself in real time. When an initial attempt to create a backdoor administrator account failed because a subprocess call had no access to the system path, the agent read the error message, switched from subprocess calls to direct library imports, verified the library was available, regenerated the encryption hash, reinserted the account, and confirmed the login succeeded, all within 31 seconds.

What made this attack possible was not exotic technology. JadePuffer ran on a ReAct architecture, the same perceive-reason-act-learn loop that powers every commercial AI agent tool deployed in enterprise environments today. The model received output from each action, reasoned about what it revealed, generated the next action, and continued. This adaptive precision, where each failure produced a targeted diagnostic rather than a blind retry, is now achievable with open-weight models running on local hardware.

"The agent read the error, switched its approach from subprocess calls to direct library imports, and redeployed at a speed no human matches," explained Michael Clark, Senior Director of Threat Research at Sysdig.

Michael Clark, Senior Director of Threat Research at Sysdig

An operator running JadePuffer-equivalent logic on a locally hosted stripped model faces no billing account termination, no provider policy enforcement, and no abuse detection system to evade. This represents a fundamental shift in the economics of sophisticated cyberattacks. Where frontier AI models like GPT-4 or Claude require subscription accounts that can be monitored and shut down, open-weight models distributed through unofficial channels offer complete operational independence.

How Are Chinese Models Closing the Capability Gap?

The Center for Strategic and International Studies assessed that Chinese-developed models including GLM, DeepSeek, Qwen, and Kimi have closed much of the gap with U.S. frontier systems for general reasoning tasks as of July 2026, the class of tasks an agentic attack chain requires. This assessment matters because general reasoning capability is the core requirement for autonomous decision-making in cyberattacks. An AI agent does not need to excel at creative writing or image generation; it needs to read error messages, understand what went wrong, and generate a corrected approach.

Open-weight models are those whose internal parameters and weights are publicly released, allowing anyone to download, modify, and run them without relying on a company's servers. This contrasts with closed models like GPT-4, which run only on OpenAI's infrastructure. The availability of open-weight models means that capability improvements in Chinese systems directly translate into more accessible attack infrastructure for threat actors worldwide.

Steps Security Teams Should Take Now

  • Patch Known Vulnerabilities Immediately: JadePuffer exploited CVE-2025-3248, a critical unauthenticated remote code execution flaw in Langflow that was patched in March 2025 and added to CISA's Known Exploited Vulnerabilities catalog in May 2025. The attacked server had not been updated in more than a year after the patch existed. Organizations must prioritize patching internet-facing systems, especially those running open-source frameworks used to build AI-powered applications.
  • Audit Internet-Exposed Instances: Recorded Future's Insikt Group documented approximately 1,050 internet-exposed Langflow instances on Shodan at the time of the JadePuffer attack, with the largest concentrations in the United States, China, Germany, Singapore, and the United Kingdom. Security teams should scan their own infrastructure for exposed instances and remediate them immediately.
  • Implement Immutable Backups: JadePuffer was functionally a wiper, not ransomware, because the attacker never stored or transmitted the encryption key. The only recovery path for victims was immutable backups that were not reachable from the compromised environment. Organizations without tested backup procedures have no recovery options if attacked.

The broader implication is stark: the barrier to entry for sophisticated agentic attacks has dropped dramatically. Where JadePuffer required either access to a frontier AI model or the technical sophistication to build a custom agent, future attackers can now download open-weight models and run them locally. According to security researchers, the only barrier they will need to clear is an unpatched internet-facing server.

For security teams still treating the original Sysdig disclosure as a one-off curiosity, the question has shifted from "did this happen?" to "how many more can happen now, and at what cost to the attacker?" The answer, based on the accessibility of Chinese open-weight models and the commodity hardware required to run them, suggests the cost has never been lower.