Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical Flaw in EU Age Verification App Lets Attackers Bypass Checks
July 15, 2026
Critical SonicWall Firewall CVE-2021-20021, CVE-2021-20022 Zero-Days Actively Exploited
July 15, 2026
Chinese Hackers Use Claude, DeepSeek AI in Government Cyberattacks
July 15, 2026
Home/CyberSecurity News/Chinese Hackers Use Claude, DeepSeek AI in Government Cyberattacks
CyberSecurity News

Chinese Hackers Use Claude, DeepSeek AI in Government Cyberattacks

Key Takeaways A China-linked cyber espionage group is actively integrating commercial AI models, Claude Code and DeepSeek-v4-pro, directly into its attack workflows. These AI models are assigned...

David kimber
David kimber
July 15, 2026 5 Min Read
2 0

Key Takeaways

  • A China-linked cyber espionage group is actively integrating commercial AI models, Claude Code and DeepSeek-v4-pro, directly into its attack workflows.
  • These AI models are assigned distinct roles: Claude Code for automation and execution, and DeepSeek-v4-pro for high-level reasoning and exploit generation.
  • The campaign targets government entities and critical infrastructure across Taiwan, Thailand, Afghanistan, and the United States, alongside financial services globally.
  • Attack methods include SQL injection, cloud token exfiltration, data dumps, webshell deployment, and custom RCEs.
  • This marks a significant shift, demonstrating AI’s direct role as an operational component in state-sponsored cyberattacks.

Chinese State-Sponsored Group Leverages Commercial AI in Advanced Cyberattacks

A sophisticated and ongoing cyber intrusion campaign, attributed to a China-linked threat actor, has been uncovered, revealing the direct integration of commercial artificial intelligence platforms into the core operational framework of state-sponsored cyber espionage. This marks a critical evolution in the use of AI in offensive cyber operations, moving beyond mere research assistance to direct involvement in attack execution and logic generation.

Table Of Content

  • Key Takeaways
  • Chinese State-Sponsored Group Leverages Commercial AI in Advanced Cyberattacks
  • AI Models Assigned Specific Roles in Attack Chain
  • Infrastructure and Offensive Toolkit
  • Targeted Attacks Across Multiple Geographies and Sectors
  • What You Should Do

Instead of merely serving as auxiliary research tools, both Claude Code and DeepSeek-v4-pro have been found embedded within the central command-and-control (C2) flows of this extensive cyber campaign. This strategic integration underscores a deliberate effort by the threat actor to leverage advanced AI capabilities for enhanced efficiency and sophistication in their attacks.

The operation initially came to light through Hunt researchers who pivoted on a shared, unique HTTP header fingerprint, which led to the discovery of a broader infrastructure network. This network comprises 13 primary servers distributed across four distinct Hong Kong-based Autonomous System Numbers (ASNs). Earlier documentation by Cato CTRL in May 2026 on TencShell C2 infrastructure provided a foundational lead, exposing an open directory containing victim source code, custom exploit scripts, operator logs, cloned login pages, and documentation in simplified Chinese.

AI Models Assigned Specific Roles in Attack Chain

Analysis of the recovered operator logs provided clear evidence of a programmatic division of labor between the two identified large language models (LLMs):

  • Claude Code (Execution & Automation): This AI model was specifically tasked with agentic tool interaction, processing interactive bash environments, executing terminal commands, and maintaining persistent operational sessions within the compromised systems.
  • DeepSeek-v4-pro (Reasoning & Attack Logic): In contrast, DeepSeek-v4-pro was exclusively utilized for higher-level attack reasoning, generating malicious scripts, devising security evasion logic, and adapting exploits to specific target environments.

Further insights into the campaign’s structure were gleaned from a central CLAUDE.md workspace file. This document contained detailed instructions guiding the automated agent to build, test, and dynamically optimize phishing infrastructure tailored for specific targets. Operational timelines embedded within these findings indicated active working environments dedicated to Taiwan-based intelligence requirements, with activities dated between June 8 and June 12, 2026.

This systematic operational methodology echoes a security advisory issued by Anthropic in November 2025, which highlighted a China-linked threat actor’s use of malicious developer tools to orchestrate large-scale automated infrastructure intrusions.

Infrastructure and Offensive Toolkit

Three of the primary collection nodes within the identified infrastructure network employed overlapping SSH keys and TLS certificates, establishing built-in redundancy layers to ensure operational resilience. The central collection node, 112.213.124[.]132, was found to host a multi-tiered offensive toolkit. This arsenal included the ARL (Attack Reconnaissance Lighthouse) framework for network mapping, DeepAudit for vulnerability identification, and Vshell for remote system administration.

Notably, these tools were situated alongside an open repository staging 2,431 stolen or operational files. The investigation also uncovered an entirely new, undocumented secondary framework, dubbed “Gshell,” operating in parallel across the same infrastructure. This suggests the threat group maintains redundant C2 frameworks to maximize operational uptime and reduce single points of failure.

Targeted Attacks Across Multiple Geographies and Sectors

The campaign exhibits an intermediate-to-advanced threat landscape, characterized by custom exploit payloads fine-tuned for narrow framework version signatures, cross-platform malware orchestration, and real-time LLM-driven evasion cycles. Operators successfully used these sophisticated setups for active credential harvesting across a variety of multi-tenant corporate applications. Specific targets and attack vectors include:

  • Taiwan: Eight firms within supply chain networks and manufacturing entities were targeted. Attacks involved SQL injection (SQLi) against chemical firms and exfiltration of cloud tokens, specifically Supabase/Azure SAS keys.
  • Thailand: Government administrative application nodes were compromised, leading to SQLMap-driven data dumps of employee national ID records and the deployment of GIF-polyglot webshells for persistence.
  • Afghanistan: Laravel-based public application architectures were exploited, resulting in the ingestion of citizen complaint databases and encryption keys via custom deserialization Remote Code Execution (RCE).
  • United States: Public sector subdomains and civic databases were subjected to footprinting of NASA subdomains and the staging of unfinished phishing clones targeting the D.C. Council and Delaware County, Pennsylvania.
  • Financial Services (Global): Enterprise payment processing platforms across Europe, Australia, and Asia were targeted through Cross-Origin Resource Sharing (CORS) exploitation to compromise administrative WordPress web credentials.

The confluence of simplified Chinese developer logs, the use of Hong Kong-based internet infrastructure, and targeting mandates that align with state intelligence objectives strongly supports the attribution of this activity to a China-based threat group.

This campaign signifies a profound shift in cyber warfare, where commercial AI systems are no longer passive research aids but active, force-multiplying components in interactive cyberattacks. This development raises urgent questions regarding the dual-use risks associated with agentic AI environments and the evolving landscape of state-sponsored cyber threats.

What You Should Do

  • Enhance Network Monitoring: Implement advanced detection for anomalous network traffic, especially from Hong Kong-based ASNs, and unusual HTTP header fingerprints.
  • Review Access Controls and Tokens: Regularly audit and rotate cloud tokens (e.g., Supabase/Azure SAS keys) and enforce least privilege principles for all accounts.
  • Patch and Update Systems: Ensure all applications, particularly those based on Laravel and WordPress, are updated to the latest versions to mitigate known vulnerabilities, including SQL injection and deserialization RCEs.
  • Strengthen Phishing Defenses: Implement multi-factor authentication (MFA) across all critical systems, conduct regular security awareness training, and deploy robust email filtering solutions.
  • Monitor for Web Shells: Utilize endpoint detection and response (EDR) solutions to detect and prevent the deployment of webshells, including less common types like GIF-polyglot webshells.
  • Secure Supply Chains: Implement stringent security protocols for supply chain partners and manufacturing entities, especially those handling sensitive data or intellectual property.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitHackerMalwarephishingSecurityThreatVulnerability

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

Fake Game Cheats Deliver Warzone RAT to Gamers’ Windows PCs

Next Post

Critical SonicWall Firewall CVE-2021-20021, CVE-2021-20022 Zero-Days Actively Exploited

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Microsoft Active Directory Zero-Day Actively Exploited
July 15, 2026
Critical BitLocker Vulnerability Lets Attackers Bypass Windows Security
July 15, 2026
Notepad++ Vulnerabilities Enable PowerShell Command Injection
July 15, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us