Suspected China-Linked Hackers Used Claude Code and DeepSeek in Government Intrusions


Suspected China-linked hackers integrated Claude Code and DeepSeek-v4-pro into an active campaign targeting government, manufacturing, telecommunications, and financial organizations across several countries.

According to a Hunt.io investigation, Claude Code handled terminal interaction and operational execution, while DeepSeek-v4-pro generated attack logic, adapted exploits, and supported decisions during the intrusions.

The operators compromised government applications in Afghanistan and Thailand, along with two organizations in Taiwan. They also conducted reconnaissance and prepared phishing pages targeting US government websites, although researchers found no confirmed US government breach.

Exposed server revealed the campaign

Researchers uncovered the operation after tracing infrastructure associated with TencShell, a command-and-control implant previously linked to suspected Chinese operators.

The investigation led to an open directory on 112.213.124[.]132. The server exposed 2,431 files across 80 directories, including victim source code, database information, exploit scripts, webshells, cloned login pages, network scans, and operator logs.

Many of the instructions and development notes used Simplified Chinese. The files also documented how the operators used AI models during reconnaissance, exploit development, phishing, and post-compromise activity.

Exposed servicePortObserved purpose
SSH22Remote server administration
Malware delivery1111Hosted downloadable payloads
DeepAudit3000Source code vulnerability analysis
ARL5003Asset discovery and reconnaissance
Vshell8084Command-and-control operations
Open directory8888Stored scripts, logs, payloads, and victim data

Claude Code and DeepSeek had separate roles

The recovered logs showed a structured division of work between the two AI systems. The operators did not appear to use them only for occasional questions or offline research.

Claude Code version 2.1.165 managed agentic tool use, interactive Bash sessions, command execution, task parallelization, and persistent operational sessions. Activity recorded in the files ran from June 8 through June 12, 2026.

DeepSeek-v4-pro handled higher-level reasoning. Hunt said the model generated scripts, developed attack logic, suggested evasion techniques, and modified exploits after unsuccessful attempts.

AI systemRole identified by Hunt
Claude CodeCommand execution, Bash interaction, session persistence, and task automation
DeepSeek-v4-proAttack reasoning, script creation, exploit adaptation, and decision-making

A CLAUDE.md workspace file contained instructions for building, testing, and improving phishing pages. The agent reportedly refined cloned websites across several targets rather than producing a single static template.

Dedicated working directories also separated campaigns by geography. Session identifiers showed that the same infrastructure supported multiple operations, including directories specifically prepared for Taiwanese targets.

TencShell provided the starting point

The infrastructure investigation began with TencShell, a Go-based implant derived from the open-source Rshell command-and-control framework.

Cato CTRL originally documented TencShell after blocking an attempted intrusion against a global manufacturer in April 2026. The activity involved a third-party user connected to the companyโ€™s Indian site.

The attempted infection used several stages:

  • A first-stage dropper
  • Donut shellcode
  • A payload disguised as a WOFF web font
  • In-memory code injection
  • Web-like command-and-control traffic

Cato assessed the earlier activity as suspected China-linked based on the Rshell lineage, Tencent-themed API impersonation, and infrastructure patterns. It also stressed that these indicators alone did not provide definitive attribution.

Researchers identified 13 connected servers

Hunt pivoted from a distinctive HTTP header fingerprint found on port 1111 of the known TencShell infrastructure. The search identified 13 servers associated with the same pattern.

Eleven previously unreported systems were hosted in Hong Kong across VMISS, MEGA-II IDC, CTG Server, and Antbox Networks. Three servers shared an SSH host key and exposed similar collections of services.

The three systems also used the same default ARL TLS certificate. However, a default certificate does not establish a connection by itself. The stronger link came from their shared SSH key, overlapping services, hosted files, and malware delivery behavior.

Possible second C2 framework found

Two servers in the TencShell cluster also presented certificates identifying a separate framework called Gshell. Hunt found no earlier public documentation describing a command-and-control tool under that name.

A search for the Gshell certificate identified nine IP addresses in total. The systems used hosting providers and locations that overlapped with the TencShell infrastructure.

Since two servers appeared in both clusters, Hunt assessed with moderate confidence that the operators used Gshell as a second command-and-control framework. Researchers did not recover a Gshell malware sample, so its precise capabilities remain unknown.

Government systems in Thailand and Afghanistan were compromised

In Thailand, the operators exploited a government administrative application through SQL injection. They used SQLMap to bypass authentication, reach the administration panel, and extract database records.

The stolen database included government employeesโ€™ names, positions, and national identification numbers. The attackers also deployed a GIF polyglot webshell that accepted commands through URL parameters.

Researchers found 980 files connected to this Thai system. Test database entries and recent administration-panel access showed that attackers had interacted directly with the compromised application as recently as June 9.

IP profile for 112.213.124[.]132 showing open ports 1111, 3000 (DeepAudit), 5003 (ARL), 8084 (Vshell), and 8888

An Afghan government application running Laravel 5.8.38 also suffered a compromise. Exposed files included source code, encryption keys, database credentials, email-handling code, CSRF tokens, and citizen complaint records.

The operators used recovered credentials to create a custom Python exploit targeting Laravel deserialization behavior. Hunt said the code aimed to achieve remote command execution against the application.

Two Taiwanese organizations were successfully attacked

The campaign included reconnaissance against eight Taiwanese organizations in shipping, manufacturing, robotics, drones, embedded computing, telecommunications, and other supply-chain sectors.

Most of those organizations experienced only scanning and fingerprinting. Researchers found successful exploitation involving two companies in critical industries.

TargetObserved activity
Chemical manufacturer and trading companySQL injection, source code theft, database access, and cloned pages
Telecom and edge-device manufacturerExposed Supabase keys, Azure SAS token access, and cloud account compromise
Six other Taiwanese organizationsReconnaissance and service fingerprinting without confirmed exploitation

The reconnaissance scripts searched for VPN gateways, Git repositories, Jira installations, certificates, subdomains, adjacent IP addresses, and internet-facing services.

US government websites were not confirmed breached

Logs contained references to NASA hosts, including launchpad.nasa.gov and ngis.nasa.gov. Researchers found scanning but no follow-up exploitation against either system.

The exposed directory also contained cloned pages imitating the D.C. Council and Delaware County, Pennsylvania. The D.C. Council WordPress login page appeared more complete than the surrounding website clone.

Redacted compromised database table of a Thai government admin panel

The Delaware County contact page remained unfinished. Researchers did not find client-side credential-stealing code, so the pages may have relied on server-side collection or may not have reached operational use.

  • NASA hosts: reconnaissance only
  • D.C. Council: cloned pages and phishing preparation
  • Delaware County: unfinished contact-page clone
  • No confirmed US government compromise identified

Financial companies were targeted in a parallel operation

The same infrastructure contained material targeting financial services across Europe, Australia, and Asia. The operators developed scripts, attempted password attacks, and examined billing platforms.

One attacker-controlled page exploited a cross-origin resource sharing configuration and extracted WordPress administrator account information associated with a large payment-processing company.

The exposed files included logs, screenshots, enumeration results, and failed brute-force attempts. Hunt assessed the financial targeting as a second operational objective running alongside the government-focused campaign.

China linkage remains an assessment

Researchers based the China-linked assessment on Simplified Chinese documentation, Hong Kong infrastructure, tooling lineage, operator behavior, and a focus on government and supply-chain information.

The Hunt threat report described the evidence as consistent with China-based activity but did not name a hacking group or confirm a direct relationship with the Chinese government.

Server location offers limited attribution value because attackers can rent infrastructure anywhere. Language, shared tools, and targeting patterns strengthen an assessment, but they do not independently prove who ordered or conducted an operation.

Campaign resembles Anthropicโ€™s earlier AI espionage case

The findings follow a separate campaign disclosed by Anthropic in November 2025. In that case, the company said a Chinese state-sponsored group manipulated Claude Code to attempt intrusions against approximately 30 organizations.

According to Anthropicโ€™s investigation, the earlier operation targeted technology companies, financial institutions, chemical manufacturers, and government agencies. A small number of attempts succeeded.

Anthropic said it banned the identified accounts, contacted affected organizations, coordinated with authorities, and expanded its systems for detecting malicious use.

CampaignAI useAttribution
Hunt.io investigation, June 2026 activityClaude Code for execution and DeepSeek-v4-pro for reasoningSuspected China-based operators, no named group
Anthropic investigation, September 2025 activityClaude Code used extensively for automated intrusion tasksChinese state-sponsored group assessed with high confidence

What defenders should watch for

Organizations should monitor developer tools and AI coding agents with the same care applied to remote administration software and automation platforms. An agent with terminal access can run commands, edit files, interact with network tools, and maintain long-running sessions.

Security teams should also search for the infrastructure indicators, payload hashes, unusual port activity, and TencShell-related HTTP fingerprints published by the researchers.

The original Cato TencShell analysis provides additional details about the Windows infection chain, persistence through a Registry Run key, and web-like C2 communication.

  • Restrict terminal and network permissions granted to coding agents.
  • Log AI-agent commands and tool calls.
  • Separate development agents from production credentials.
  • Scan repositories for exposed cloud tokens and secrets.
  • Monitor connections to known TencShell and Gshell infrastructure.
  • Review unexpected activity on ports 1111, 1212, 4081, 8083, 8084, 8088, 8089, and 8090.
  • Investigate cloned login pages and unusual phishing-development activity.

The earlier Claude Code case and Huntโ€™s latest findings show how attackers can place general-purpose AI agents inside live intrusion workflows. The models can reduce the time required to adapt scripts, coordinate tools, and repeat operational tasks, even though human operators still choose targets and direct the campaign.

FAQ

Did Chinese hackers use Claude Code and DeepSeek in cyberattacks?

Hunt.io found operational logs showing suspected China-based operators using Claude Code for execution and DeepSeek-v4-pro for reasoning during an active intrusion campaign. Researchers did not identify a specific hacking group.

What role did Claude Code play in the campaign?

Claude Code managed Bash sessions, terminal commands, agentic tool interaction, task parallelization, persistent sessions, and the creation and testing of phishing pages.

How did the attackers use DeepSeek-v4-pro?

Recovered logs indicated that DeepSeek-v4-pro handled attack reasoning, script generation, evasion ideas, exploit adaptation, and operational decision-making.

Which countries were affected by the campaign?

Researchers identified confirmed compromises in Afghanistan, Thailand, and Taiwan. US government systems appeared in reconnaissance and phishing-preparation files, but no US government compromise was confirmed.

Was the campaign sponsored by the Chinese government?

Hunt.io assessed the operators as likely China-based but stopped short of confirming state sponsorship or naming a known group. Its assessment relied on language, infrastructure, tooling, and targeting patterns.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages