Suspected China-Linked Hackers Used Claude Code and DeepSeek in Government Intrusions
Suspected China-linked hackers integrated Claude Code and DeepSeek-v4-pro into an active campaign targeting government, manufacturing, telecommunications, and financial organizations across several countries.
According to a Hunt.io investigation, Claude Code handled terminal interaction and operational execution, while DeepSeek-v4-pro generated attack logic, adapted exploits, and supported decisions during the intrusions.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The operators compromised government applications in Afghanistan and Thailand, along with two organizations in Taiwan. They also conducted reconnaissance and prepared phishing pages targeting US government websites, although researchers found no confirmed US government breach.
Exposed server revealed the campaign
Researchers uncovered the operation after tracing infrastructure associated with TencShell, a command-and-control implant previously linked to suspected Chinese operators.
The investigation led to an open directory on 112.213.124[.]132. The server exposed 2,431 files across 80 directories, including victim source code, database information, exploit scripts, webshells, cloned login pages, network scans, and operator logs.
Many of the instructions and development notes used Simplified Chinese. The files also documented how the operators used AI models during reconnaissance, exploit development, phishing, and post-compromise activity.
| Exposed service | Port | Observed purpose |
|---|---|---|
| SSH | 22 | Remote server administration |
| Malware delivery | 1111 | Hosted downloadable payloads |
| DeepAudit | 3000 | Source code vulnerability analysis |
| ARL | 5003 | Asset discovery and reconnaissance |
| Vshell | 8084 | Command-and-control operations |
| Open directory | 8888 | Stored scripts, logs, payloads, and victim data |
Claude Code and DeepSeek had separate roles
The recovered logs showed a structured division of work between the two AI systems. The operators did not appear to use them only for occasional questions or offline research.
Claude Code version 2.1.165 managed agentic tool use, interactive Bash sessions, command execution, task parallelization, and persistent operational sessions. Activity recorded in the files ran from June 8 through June 12, 2026.
DeepSeek-v4-pro handled higher-level reasoning. Hunt said the model generated scripts, developed attack logic, suggested evasion techniques, and modified exploits after unsuccessful attempts.
| AI system | Role identified by Hunt |
|---|---|
| Claude Code | Command execution, Bash interaction, session persistence, and task automation |
| DeepSeek-v4-pro | Attack reasoning, script creation, exploit adaptation, and decision-making |
A CLAUDE.md workspace file contained instructions for building, testing, and improving phishing pages. The agent reportedly refined cloned websites across several targets rather than producing a single static template.
Dedicated working directories also separated campaigns by geography. Session identifiers showed that the same infrastructure supported multiple operations, including directories specifically prepared for Taiwanese targets.
TencShell provided the starting point
The infrastructure investigation began with TencShell, a Go-based implant derived from the open-source Rshell command-and-control framework.
Cato CTRL originally documented TencShell after blocking an attempted intrusion against a global manufacturer in April 2026. The activity involved a third-party user connected to the companyโs Indian site.
The attempted infection used several stages:
- A first-stage dropper
- Donut shellcode
- A payload disguised as a WOFF web font
- In-memory code injection
- Web-like command-and-control traffic
Cato assessed the earlier activity as suspected China-linked based on the Rshell lineage, Tencent-themed API impersonation, and infrastructure patterns. It also stressed that these indicators alone did not provide definitive attribution.
Researchers identified 13 connected servers
Hunt pivoted from a distinctive HTTP header fingerprint found on port 1111 of the known TencShell infrastructure. The search identified 13 servers associated with the same pattern.
Eleven previously unreported systems were hosted in Hong Kong across VMISS, MEGA-II IDC, CTG Server, and Antbox Networks. Three servers shared an SSH host key and exposed similar collections of services.
The three systems also used the same default ARL TLS certificate. However, a default certificate does not establish a connection by itself. The stronger link came from their shared SSH key, overlapping services, hosted files, and malware delivery behavior.
Possible second C2 framework found
Two servers in the TencShell cluster also presented certificates identifying a separate framework called Gshell. Hunt found no earlier public documentation describing a command-and-control tool under that name.
A search for the Gshell certificate identified nine IP addresses in total. The systems used hosting providers and locations that overlapped with the TencShell infrastructure.
Since two servers appeared in both clusters, Hunt assessed with moderate confidence that the operators used Gshell as a second command-and-control framework. Researchers did not recover a Gshell malware sample, so its precise capabilities remain unknown.
Government systems in Thailand and Afghanistan were compromised
In Thailand, the operators exploited a government administrative application through SQL injection. They used SQLMap to bypass authentication, reach the administration panel, and extract database records.
The stolen database included government employeesโ names, positions, and national identification numbers. The attackers also deployed a GIF polyglot webshell that accepted commands through URL parameters.
Researchers found 980 files connected to this Thai system. Test database entries and recent administration-panel access showed that attackers had interacted directly with the compromised application as recently as June 9.

An Afghan government application running Laravel 5.8.38 also suffered a compromise. Exposed files included source code, encryption keys, database credentials, email-handling code, CSRF tokens, and citizen complaint records.
The operators used recovered credentials to create a custom Python exploit targeting Laravel deserialization behavior. Hunt said the code aimed to achieve remote command execution against the application.
Two Taiwanese organizations were successfully attacked
The campaign included reconnaissance against eight Taiwanese organizations in shipping, manufacturing, robotics, drones, embedded computing, telecommunications, and other supply-chain sectors.
Most of those organizations experienced only scanning and fingerprinting. Researchers found successful exploitation involving two companies in critical industries.
| Target | Observed activity |
|---|---|
| Chemical manufacturer and trading company | SQL injection, source code theft, database access, and cloned pages |
| Telecom and edge-device manufacturer | Exposed Supabase keys, Azure SAS token access, and cloud account compromise |
| Six other Taiwanese organizations | Reconnaissance and service fingerprinting without confirmed exploitation |
The reconnaissance scripts searched for VPN gateways, Git repositories, Jira installations, certificates, subdomains, adjacent IP addresses, and internet-facing services.
US government websites were not confirmed breached
Logs contained references to NASA hosts, including launchpad.nasa.gov and ngis.nasa.gov. Researchers found scanning but no follow-up exploitation against either system.
The exposed directory also contained cloned pages imitating the D.C. Council and Delaware County, Pennsylvania. The D.C. Council WordPress login page appeared more complete than the surrounding website clone.

The Delaware County contact page remained unfinished. Researchers did not find client-side credential-stealing code, so the pages may have relied on server-side collection or may not have reached operational use.
- NASA hosts: reconnaissance only
- D.C. Council: cloned pages and phishing preparation
- Delaware County: unfinished contact-page clone
- No confirmed US government compromise identified
Financial companies were targeted in a parallel operation
The same infrastructure contained material targeting financial services across Europe, Australia, and Asia. The operators developed scripts, attempted password attacks, and examined billing platforms.
One attacker-controlled page exploited a cross-origin resource sharing configuration and extracted WordPress administrator account information associated with a large payment-processing company.
The exposed files included logs, screenshots, enumeration results, and failed brute-force attempts. Hunt assessed the financial targeting as a second operational objective running alongside the government-focused campaign.
China linkage remains an assessment
Researchers based the China-linked assessment on Simplified Chinese documentation, Hong Kong infrastructure, tooling lineage, operator behavior, and a focus on government and supply-chain information.
The Hunt threat report described the evidence as consistent with China-based activity but did not name a hacking group or confirm a direct relationship with the Chinese government.
Server location offers limited attribution value because attackers can rent infrastructure anywhere. Language, shared tools, and targeting patterns strengthen an assessment, but they do not independently prove who ordered or conducted an operation.
Campaign resembles Anthropicโs earlier AI espionage case
The findings follow a separate campaign disclosed by Anthropic in November 2025. In that case, the company said a Chinese state-sponsored group manipulated Claude Code to attempt intrusions against approximately 30 organizations.
According to Anthropicโs investigation, the earlier operation targeted technology companies, financial institutions, chemical manufacturers, and government agencies. A small number of attempts succeeded.
Anthropic said it banned the identified accounts, contacted affected organizations, coordinated with authorities, and expanded its systems for detecting malicious use.
| Campaign | AI use | Attribution |
|---|---|---|
| Hunt.io investigation, June 2026 activity | Claude Code for execution and DeepSeek-v4-pro for reasoning | Suspected China-based operators, no named group |
| Anthropic investigation, September 2025 activity | Claude Code used extensively for automated intrusion tasks | Chinese state-sponsored group assessed with high confidence |
What defenders should watch for
Organizations should monitor developer tools and AI coding agents with the same care applied to remote administration software and automation platforms. An agent with terminal access can run commands, edit files, interact with network tools, and maintain long-running sessions.
Security teams should also search for the infrastructure indicators, payload hashes, unusual port activity, and TencShell-related HTTP fingerprints published by the researchers.
The original Cato TencShell analysis provides additional details about the Windows infection chain, persistence through a Registry Run key, and web-like C2 communication.
- Restrict terminal and network permissions granted to coding agents.
- Log AI-agent commands and tool calls.
- Separate development agents from production credentials.
- Scan repositories for exposed cloud tokens and secrets.
- Monitor connections to known TencShell and Gshell infrastructure.
- Review unexpected activity on ports 1111, 1212, 4081, 8083, 8084, 8088, 8089, and 8090.
- Investigate cloned login pages and unusual phishing-development activity.
The earlier Claude Code case and Huntโs latest findings show how attackers can place general-purpose AI agents inside live intrusion workflows. The models can reduce the time required to adapt scripts, coordinate tools, and repeat operational tasks, even though human operators still choose targets and direct the campaign.
FAQ
Hunt.io found operational logs showing suspected China-based operators using Claude Code for execution and DeepSeek-v4-pro for reasoning during an active intrusion campaign. Researchers did not identify a specific hacking group.
Claude Code managed Bash sessions, terminal commands, agentic tool interaction, task parallelization, persistent sessions, and the creation and testing of phishing pages.
Recovered logs indicated that DeepSeek-v4-pro handled attack reasoning, script generation, evasion ideas, exploit adaptation, and operational decision-making.
Researchers identified confirmed compromises in Afghanistan, Thailand, and Taiwan. US government systems appeared in reconnaissance and phishing-preparation files, but no US government compromise was confirmed.
Hunt.io assessed the operators as likely China-based but stopped short of confirming state sponsorship or naming a known group. Its assessment relied on language, infrastructure, tooling, and targeting patterns.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages