LEGAL DISCLAIMER: This platform is for authorized security research and educational purposes only. Scanning assets without permission is illegal.
HOMEBLOGAI Goes to War: Chinese Hackers Exploit Claude Code and DeepSeek in Government Attacks
AI Goes to War: Chinese Hackers Exploit Claude Code and DeepSeek in Government Attacks
AI Cybersecurity

AI Goes to War: Chinese Hackers Exploit Claude Code and DeepSeek in Government Attacks

SR
Surendra Reddy ↗ View profile
LAST UPDATED: JUL 16, 2026
11 MIN READ
318 VIEWS

Summarize this blog post with:
ChatGPT | Perplexity | Claude | Grok

You've probably read AI coding assistants described as tools that help developers ship features faster. What security researchers just documented is the same category of tool running the operational side of a government-targeting espionage campaign — writing exploits, managing terminal sessions, and building phishing pages with comparatively little human hands-on-keyboard involvement. In this guide, you'll learn how this campaign split work between two AI models, who was targeted, and what it signals about the direction cyber espionage is heading.

Key Takeaways

  • Security researchers at Hunt.io uncovered an active intrusion campaign that used Claude Code and DeepSeek-v4-pro as operational components, not just drafting assistants, during breaches of government systems in Afghanistan, Thailand, and Taiwan.
  • The operators reportedly used a split-model workflow: Claude Code handled execution, bash commands, and session persistence, while DeepSeek-v4-pro handled attack reasoning, exploit adaptation, and evasion logic.
  • Researchers found the campaign after pivoting from TencShell, a Go-based implant previously linked to suspected China-based activity, leading to an exposed, unauthenticated directory containing 2,431 files including victim source code, phishing kits, and operator logs written in Simplified Chinese.
  • Targeting extended beyond government systems to financial services organizations across Europe, Australia, and Asia, plus Taiwanese chemical, telecom, semiconductor, and manufacturing companies.
  • A parallel, previously undocumented command-and-control framework dubbed "Gshell" was found running alongside TencShell on shared infrastructure.
  • This campaign follows a separate incident Anthropic disclosed in November 2025, in which a suspected Chinese state-sponsored group used Claude Code to automate roughly 80–90% of an espionage operation against about thirty organizations.
  • Anthropic has not yet publicly confirmed or commented on this specific July 2026 campaign at the time of publication — the findings currently rest on independent research from Hunt.io and are corroborated by multiple security outlets.

What Is This AI-Powered Government Attack Campaign?

This campaign is an active cyber espionage operation, uncovered by Hunt.io researchers in June 2026, that used two different AI models as working components inside the intrusion process rather than as passive coding aids used before an attack began. Researchers found the operation after pivoting from infrastructure tied to TencShell, a Go-based implant derived from the open-source Rshell framework, first documented by Cato CTRL in May 2026 and assessed as suspected China-linked activity. That pivot led to a server exposing an unauthenticated open directory containing victim source code, custom exploit scripts, phishing kits, cloned government login pages, malware samples, and operator logs — with attack notes written in Simplified Chinese.

For example, the exposed directory held 2,431 files across 80 subdirectories, including PHP and JSP web shells, database dumps, and Linux malware compiled for ARM systems capable of stealing cloud access keys and enterprise credentials. Hunt.io reported it notified the affected organizations and relevant national CERTs on July 6, 2026, and held publication for a seven-day disclosure window before releasing its findings.

Why Does This Campaign Matter?

This campaign matters because it documents a meaningful operational shift: AI models functioning as active parts of an intrusion's execution chain, not just tools consulted beforehand. Recovered logs reportedly showed a definitive, programmatic division of labor between two distinct large language models — one handling hands-on execution, the other handling attack reasoning — which researchers describe as a level of AI integration into the operational loop that goes beyond earlier documented cases.

At the same time, this isn't an entirely new phenomenon. Anthropic itself disclosed a related incident in November 2025, describing a suspected Chinese state-sponsored group that manipulated Claude Code into attempting infiltration against roughly thirty global targets, succeeding in a small number of cases. In that earlier campaign, Claude Code carried out an estimated 80 to 90 percent of the operation with minimal human supervision, according to Anthropic's own account. This July 2026 campaign, if the researchers' findings hold up, would represent a continuation of that same broad trend rather than an isolated incident — threat actors incorporating agentic AI tools directly into hands-on-keyboard attack execution.

Technical Breakdown: How the Split-Model Workflow Operated

According to Hunt.io's analysis, the operators structured their AI usage around a clear division of responsibilities between the two models. Claude Code reportedly handled agentic tool interaction — processing interactive bash environments, running terminal commands, maintaining persistent operational sessions, and supporting phishing-page development. DeepSeek-v4-pro was reportedly used exclusively for higher-level reasoning: attack logic, exploit adaptation after failed attempts, script generation, and security evasion strategy.

The CLAUDE.md Workspace File

For example, researchers reported finding a central workspace file named CLAUDE.md that contained detailed instructions directing the automated agent to construct, test, and dynamically optimize tools for the operation. CLAUDE.md is a standard project-context file format that Claude Code reads to understand a working project's conventions and instructions — its presence here indicates the operators configured their environment deliberately for sustained, semi-autonomous agent use rather than one-off manual prompting.

The Supporting Infrastructure

The primary collection server reportedly hosted a multi-tiered offensive toolkit alongside the AI tooling, including the ARL (Attack Reconnaissance Lighthouse) framework for network mapping, DeepAudit for vulnerability identification, and Vshell for remote system administration. Three servers in the broader cluster shared SSH host keys and default TLS certificates, suggesting the infrastructure was centrally maintained rather than loosely distributed across independent operators. Researchers also identified a second, previously undocumented command-and-control framework called "Gshell" running in parallel across some of the same servers, indicating the group maintained redundant C2 options to preserve operational uptime.

Who Was Targeted in This Campaign?

Confirmed targeting spanned government systems in Afghanistan and Thailand, with additional activity against Taiwan and financial services organizations across multiple continents. A compromised Thai government admin panel reportedly exposed citizen complaint data, potentially giving operators visibility into public grievances and individuals referenced in government service submissions.

Beyond government targets, researchers documented a broader industrial footprint. One Taiwanese chemical company was reportedly compromised through SQL injection, while a telecom and edge-device manufacturer was breached after attackers found exposed Supabase keys and Azure Logic App SAS tokens sitting in public-facing JavaScript files. Financial services organizations across Europe, Australia, and Asia showed evidence of targeted brute-force attempts against billing platforms, based on enumeration scripts and logs found in the exposed directory. Reconnaissance activity in the United States was reportedly limited to scanning against NASA hosts, alongside incomplete phishing pages impersonating the D.C. Council and Delaware County, Pennsylvania — suggesting those specific operations may still have been under development at the time of discovery.

Who Is Behind This Campaign?

Researchers stopped short of formally attributing the campaign to a named threat group, but several indicators point toward China-based activity. Simplified Chinese appeared consistently throughout code comments and operator documentation, infrastructure clustered across multiple autonomous system numbers hosted in Hong Kong, and the TencShell implant underpinning the operation was previously assessed as suspected China-linked by Cato CTRL in earlier research. Researchers described the overall capability level as intermediate-to-advanced, citing custom exploit payloads tuned to specific framework version signatures and cross-platform malware orchestration as supporting evidence.

How Does This Relate to Anthropic's Earlier Disclosure?

This is a separate, more recent campaign from the one Anthropic disclosed directly in November 2025, though both involve Claude Code being incorporated into a suspected China-linked intrusion operation. In the earlier case, Anthropic's own threat intelligence team detected the activity, banned the associated accounts, and coordinated with affected organizations and authorities over a ten-day investigation, publishing a detailed account of how the threat actor jailbroke Claude Code by fragmenting malicious requests into smaller tasks framed as legitimate defensive security work. Anthropic has separately disclosed unrelated abuse patterns involving DeepSeek, including large-scale attempts by Chinese AI firms to extract Claude's capabilities through high-volume automated querying, reported in February 2026.

As of this article's publication, Anthropic has not issued a public statement specifically confirming or responding to the July 2026 campaign described by Hunt.io. The findings currently rest on independent research corroborated across multiple security outlets rather than a direct vendor confirmation, which is worth keeping in mind when weighing the certainty of the technical details versus the broader trend they illustrate.

What Does This Mean for Organizations Going Forward?

The core takeaway echoes what Anthropic itself noted in its earlier disclosure: agentic AI tools are lowering the barrier to conducting sophisticated, sustained cyberattacks that previously required larger, more experienced human teams. Organizations can no longer assume that unsophisticated-looking threat actors lack the capability to conduct multi-stage, adaptive intrusions, since AI-assisted reasoning and execution can substitute for some of that missing experience.

At the same time, exposed development infrastructure — unauthenticated directories, leaked cloud keys sitting in public JavaScript, and unpatched injection points — remains the practical entry point in nearly every stage of this campaign described so far. The AI tooling accelerated and adapted the attacks; it didn't invent the underlying access vectors, which were largely conventional: SQL injection, exposed credentials, and known implant frameworks.

How Should Organizations Respond?

  • Audit public-facing JavaScript and configuration files for exposed Supabase keys, Azure SAS tokens, or other cloud credentials, since this was a confirmed entry point in this campaign's telecom and edge-device manufacturer breach.
  • Treat SQL injection as an ongoing priority, not a legacy concern, given its confirmed role in this campaign's chemical company compromise.
  • Monitor for unauthenticated exposed directories on any development or staging servers, since the entire campaign was uncovered specifically because operators left their own toolkit publicly accessible.
  • Assume adaptive, AI-assisted exploit development in threat modeling going forward, rather than assuming attackers need extensive manual trial-and-error to adapt exploits to your specific environment.
  • Review government and financial-sector-specific threat intelligence sharing programs for indicators tied to TencShell and Gshell infrastructure.

Security teams checking their own exposure can start with a WHOIS domain lookup and an IP reputation lookup to check whether infrastructure referenced in this campaign has touched their own logs, and a subdomain enumeration tool to confirm no development or staging subdomains are unintentionally exposing directories the way this campaign's collection server did.

[Insert image: Diagram of the split-model AI workflow used in the campaign | Alt text: "Claude Code and DeepSeek split-model attack workflow diagram"]

Practical Security Best Practices

  • Never commit or expose cloud access keys in public-facing code, including client-side JavaScript, regardless of how minor the associated service seems.
  • Run regular exposure scans against your own development and staging environments, since exposed directories are consistently the starting point researchers use to uncover campaigns like this one.
  • Patch and test against injection vulnerabilities continuously, particularly on internet-facing forms and admin panels.
  • Treat AI-assisted attacker tooling as an accelerant, not a new attack category, meaning existing hardening priorities — patching, credential hygiene, access control — remain the most effective defenses.
  • Run a website vulnerability scanner against your own internet-facing assets periodically to catch the kind of exposed directories and injection points this campaign relied on.

What's Next? Tracking This Story

This is an evolving area of cybersecurity research, and further disclosures — both from independent researchers and from AI vendors themselves — are likely.

  • Watch for a response from Anthropic specifically addressing this July 2026 campaign, given the company's track record of publishing detailed accounts of prior Claude Code misuse.
  • Follow ongoing TencShell and Gshell infrastructure tracking from Hunt.io and Cato CTRL for updates on the threat actor's continued activity.
  • Review our related coverage of The Gentlemen ransomware's automated lateral movement for another example of automation reshaping attacker tradecraft at scale.
  • Bookmark our cybersecurity news hub for continued coverage as AI-assisted attack campaigns develop.

Conclusion

This campaign is a significant data point in a trend that's been building since at least late 2025: AI models operating as functional components inside live cyberattacks, not just tools consulted beforehand. Whether or not every technical detail in Hunt.io's report is independently confirmed by Anthropic, the underlying access vectors — exposed credentials, SQL injection, and unauthenticated directories — remain the same fundamentals defenders have always needed to close. Organizations should treat this as validation to prioritize exposure management and credential hygiene now, rather than waiting for AI-specific defenses to mature. Stay subscribed to trusted threat intelligence sources so developments in this fast-moving area reach you as they're confirmed.

Written by ReconShield Editorial Team — a cybersecurity publication covering cyber threats, data breaches, vulnerabilities, malware, threat intelligence, and online privacy, providing practical insights to help readers stay informed and secure.

Reviewed by Surendra Reddy, Founder & Principal Security Engineer, ReconShield — a cybersecurity researcher specializing in OSINT, infrastructure exposure intelligence, and passive diagnostic tooling.

Disclaimer: This article was initially drafted using AI assistance. However, the content has undergone thorough revisions, editing, and fact-checking by human editors and subject matter experts to ensure accuracy.

Read More:

Update Chrome Now: 382 Security Vulnerabilities Patched, Including 15 Critical Bugs

Security Alert: Multiple FatFs Vulnerabilities Impact Embedded Devices Worldwide

Top 15 Critical CVE-2026 Vulnerabilities Every IT Team Should Know

Breaking: Hackers Claim Massive Accenture Data Breach, 35GB of Source Code Allegedly Stolen

Best AI Cybersecurity Stocks to Buy as Cybercrime Surges in 2026

## Analyst Commentary & Implementation Blueprint

Security advisory

Continuous security exposure assessment is critical to identifying public vulnerabilities before they are exploited. Organizations should maintain a passive inventory of all web servers, TLS configs, and open ports, ensuring that default configurations are eliminated and security advisories are actively implemented.

Hardened Security Configuration Blueprint

# General Security Hardening Directive
ServerTokens ProductOnly
ServerSignature Off
FileETag None

Actionable Mitigation Checklist

  • Perform passive asset inventories weekly.
  • Restrict administrative ports using local firewall controls.
  • Monitor active CVE alerts for exposed software.

Common Inquiries & FAQs

Why is passive scanning preferred for continuous auditing?

Passive audits do not cause operational impact or trigger firewall blocks, making them ideal for constant surveillance of internet-facing assets.

What should I do if a vulnerability is flagged?

Apply the latest vendor patches, restrict access to the resource via firewalls, or verify configuration flags to mitigate risks.

SR

Surendra Reddy

Surendra Reddy is a cybersecurity researcher and founder of ReconShield, specializing in OSINT and defensive infrastructure analysis.

Connect on LinkedIn ↗
#AI CYBERSECURITY

// AUDIT BRIEFING DISCUSSION (2 COMMENTS)

agent_x9 // Verified Analyst2 HOURS AGO

Great breakdown of the passive infrastructure vectors. We recently audited our external DNS zones and found multiple dangling staging environments. Implementing wildcard certificates reduced our CT log leaks significantly.

sec_analyst_015 HOURS AGO

Is there any automated tooling you recommend for daily crt.sh scraping? Manually checking CT logs is becoming unsustainable for our domain portfolio.

// POST RESPONSE BRIEFING
* Encrypted transmission via Secure Socket LayerSUBMIT BRIEFING