Claude Code and DeepSeek Powered Chinese Cyber Espionage Campaign

Chinese actors used Claude Code and DeepSeek to automate attacks that breached government systems and targeted financial firms.

Hunt.io researchers stumbled onto an active intrusion campaign in June 2026 while pivoting on known TencShell command-and-control infrastructure. A single HTTP header fingerprint on port 1111 led them to 13 Hong Kong-based servers and, on one of them, an open directory containing 2,431 files and 80 subdirectories: victim source code, custom exploit scripts, cloned login pages, and operator logs with notes written in Simplified Chinese. Someone left the door open. Researchers walked right in.

What made this find unusual wasn’t just the scope of the targeting. It was the tooling.

“What caught our attention was the tooling behind it. Claude Code and DeepSeek-v4-pro ran as working parts of the intrusion, not tools off to the side. They handled reasoning for bypass techniques, reworked exploits after failed attempts, and built the phishing pages used to harvest credentials.” reads the report published by Hunt.io. “That puts this campaign alongside Anthropic’s November 2025 disclosure of a China-linked operation that used Claude Code to automate large-scale intrusions.”

This puts the campaign alongside Anthropic’s own November 2025 disclosure of a China-linked operation that used Claude Code to automate large-scale intrusions.

The campaign resembles another China-linked operation that Anthropic disclosed in November 2025, where attackers also used Claude Code to automate large-scale intrusions.

The recovered logs show that the attackers split the work between two AI models. Claude Code 2.1.165 handled execution by running Bash commands, managing long-running sessions, carrying out tasks in parallel, and creating phishing infrastructure. DeepSeek-v4-pro handled the planning by generating scripts, choosing attack techniques, and finding new ways to bypass defenses when earlier attempts failed.

“DeepSeek-v4-pro operates as the underlying reasoning model, handling attack logic, script generation, and decision-making.” continues the report. “In short, offensive logic is routed through a Chinese domestic LLM while leveraging Anthropic’s agentic execution infrastructure.”

A recovered CLAUDE.md file also contained instructions telling Claude Code to automatically create, test, and improve cloned phishing pages for multiple targets.

Session IDs in the logs confirmed the same infrastructure was used across different country-specific campaigns, with Taiwan operations saved to dedicated working directories. Timestamps on the files span June 8 through 12, 2026, and the three servers sharing SSH keys were actively maintained as recently as June 18-19, when all three reissued their ARL certificates together.

In Thailand, attackers used SQLMap to exploit a government administrative system through SQL injection, gained admin panel access, and deployed a web shell disguised as a GIF file for persistent command execution. The exfiltrated database held the names, national ID numbers, and job titles of government employees. The directory contained 980 files referencing this system alone, suggesting a lengthy and focused operation. Test entries the attackers created during the intrusion confirmed they had hands-on, interactive access to the data, not just automated extraction.

In Afghanistan, a government web application handling citizen complaint submissions was compromised. The attackers extracted source code, database credentials, encryption keys, and mail infrastructure code from a Laravel 5.8.38 installation, then used those credentials to build a custom Python exploit targeting Laravel’s deserialization mechanisms. Six distinct copied versions of the complaint submission form appeared in the directory. For a state actor, access to a live channel where citizens report grievances against government and institutions is a particular kind of intelligence prize.

In Taiwan, eight organizations in supply chain and defense-adjacent sectors were mapped and fingerprinted, with two successfully exploited. A chemical manufacturer was hit through SQL injection. A telecom and edge device manufacturer was compromised after attackers found hardcoded Supabase keys and Azure Logic App tokens in publicly accessible JavaScript files, giving them direct access to cloud infrastructure accounts. The reconnaissance script targeting these organizations ran DNS brute-forcing, certificate transparency queries, and HTTP service fingerprinting with an emphasis on VPN gateways, GitLab instances, and Jira environments.

The United States appeared at earlier stages of the operation rather than as a confirmed breach. NASA hosts launchpad.nasa[.]gov and ngis.nasa[.]gov were logged in network scanning output but not pursued further. Cloned pages impersonating the D.C. Council and Delaware County, Pennsylvania were recovered at varying levels of completion: the D.C. Council WordPress admin login page was fully built while the homepage was still missing images.

Hunt.io assessed the targeting of mid-tier government administrative bodies as consistent with documented Chinese intelligence collection priorities around procurement, vendor relationships, and policy visibility. The county contact form clone, specifically built to capture citizen submissions, fits that same pattern.

A parallel campaign hit financial services firms across Europe, Australia, and Asia. A CORS exploit page on one of the attacker-controlled servers successfully extracted WordPress administrator credentials from a large payment processing platform, with LinkedIn cross-referencing confirming the extracted account names matched real employees.

“In addition to the government-sector activity, the operators ran a parallel campaign against financial services firms across multiple regions. The clearest example being an attacker-developed CORS exploit page on 112.213.124[.]159 that successfully extracted WordPress administrator account data from a large payment processing platform.” states the report. “A cross-reference on the exposed accounts against public LinkedIn profiles, confirmed individuals with the same name as employees of the company.”

The 13 servers are all in Hong Kong, spread across four hosting providers: VMISS Inc., MEGA-II IDC, CTG Server Limited, and Antbox Networks Limited. Three share SSH host key fingerprints and ran identical ARL reconnaissance software serving the same default TLS certificate, with fields pointing to Shanghai. Two servers in the cluster also presented certificates self-identifying as “Gshell C2,” a previously undocumented C2 framework. Because those two servers overlap with the TencShell cluster, Hunt.io assesses with moderate confidence that Gshell is a second C2 framework operated in parallel by the same actors.

The malware recovered from the delivery ports was a previously unreported Linux/ARM 32-bit binary that communicates back to the same infrastructure hub over WebSocket. It’s capable of extracting Tencent QQ messaging credentials including SDK identifiers and cryptographic keys, enterprise messaging platform tokens, and cloud service access keys. A separate Linux/x86 variant uses the Go obfuscation tool garble to strip function names, but both variants share an identical 80-byte encryption key, pointing to a shared codebase across architectures.

“The campaign reflects an intermediate-to-advanced capability set: custom exploit development aimed at specific framework versions, multi-platform malware variants, and integration of LLMs for real-time attack assistance.” concludes the report. “Observable indicators: Simplified Chinese in code and documentation, Hong Kong infrastructure clustering, and multi-continent targeting, are consistent with China-based threat actor activity.”

Hunt.io notified the affected organizations and national CERTs on July 6, 2026, and held publication for a seven-day disclosure window. The full indicator set, including file hashes and network infrastructure, is in the original report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, LLM)

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to our Newsletter