Today's cybersecurity headlines are brought to you by ThreatPerspective


Ethical Hacking News

Claude Code and DeepSeek: A Chinese Cyber Espionage Campaign Leveraging Artificial Intelligence for Mass Surveillance




A sophisticated Chinese cyber espionage campaign has been uncovered, leveraging artificial intelligence to automate attacks on government systems, financial institutions, and supply chain companies across multiple countries. Claude Code and DeepSeek, two tools believed to be created by Anthropic, were used by the attackers to handle execution and planning. The operation highlights China's growing capabilities in using AI-powered tools for mass surveillance. Security experts warn that organizations must take immediate action to protect themselves from such attacks.

  • Cyber espionage campaign launched by Chinese actors using Claude Code and DeepSeek tools.
  • Targeted multiple countries, including government systems, financial institutions, and supply chain companies.
  • Used sophisticated tactics, such as exploiting SQL injection vulnerabilities and creating custom phishing infrastructure.
  • Distributed threat actor capabilities across multiple countries, indicating intermediate-to-advanced skill set.
  • Malware extracted Tencent QQ messaging credentials and communicated back to the same infrastructure hub over WebSocket.



  • Chinese actors have launched a sophisticated cyber espionage campaign utilizing Claude Code and DeepSeek, two tools believed to be created by Anthropic, an artificial intelligence (AI) firm. The operation, which began in June 2026, targeted multiple countries across the globe, including government systems, financial institutions, and supply chain companies.

    The Hunt.io researchers discovered the active intrusion campaign while analyzing known TencShell command-and-control infrastructure. The researchers found that a single HTTP header fingerprint on port 1111 led them to 13 Hong Kong-based servers, which contained 2,431 files and 80 subdirectories containing victim source code, custom exploit scripts, cloned login pages, and operator logs written in Simplified Chinese.

    The attackers used Claude Code 2.1.165 to handle execution by running Bash commands, managing long-running sessions, carrying out tasks in parallel, and creating phishing infrastructure. DeepSeek-v4-pro handled the planning by generating scripts, choosing attack techniques, and finding new ways to bypass defenses when earlier attempts failed.

    The recovered logs revealed that the attackers split the work between two AI models. Claude Code 2.1.165 executed Bash commands and managed long-running sessions, while DeepSeek-v4-pro generated scripts, chose attack techniques, and found ways to bypass defenses. The attackers used a Chinese domestic LLM to route offensive logic.

    The recovered CLAUDE.md file contained instructions telling Claude Code to automatically create, test, and improve cloned phishing pages for multiple targets. Session IDs in the logs confirmed that the same infrastructure was used across different country-specific campaigns, with Taiwan operations saved to dedicated working directories.

    The attackers used SQLMap to exploit a government administrative system through SQL injection, gained admin panel access, and deployed a web shell disguised as a GIF file for persistent command execution. In Afghanistan, they extracted source code, database credentials, encryption keys, and mail infrastructure code from a Laravel 5.8.38 installation, then used those credentials to build a custom Python exploit targeting Laravel's deserialization mechanisms.

    The campaign targeted mid-tier government administrative bodies in Taiwan, as well as financial services firms across Europe, Australia, and Asia. The attackers also hit government systems in Thailand, where they extracted sensitive data from a database containing the names, national ID numbers, and job titles of government employees.

    The malware recovered from the delivery ports was a previously unreported Linux/ARM 32-bit binary that communicates back to the same infrastructure hub over WebSocket. It is capable of extracting Tencent QQ messaging credentials including SDK identifiers and cryptographic keys, enterprise messaging platform tokens, and cloud service access keys.

    The campaign reflects an intermediate-to-advanced capability set, with custom exploit development aimed at specific framework versions, multi-platform malware variants, and integration of LLMs for real-time attack assistance. The attackers used Simplified Chinese in code and documentation, Hong Kong infrastructure clustering, and multi-continent targeting, which are consistent with China-based threat actor activity.

    Hunt.io notified the affected organizations and national CERTs on July 6, 2026, and held publication for a seven-day disclosure window. The full indicator set, including file hashes and network infrastructure, is available in the original report.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/Claude-Code-and-DeepSeek-A-Chinese-Cyber-Espionage-Campaign-Leveraging-Artificial-Intelligence-for-Mass-Surveillance-ehn.shtml

  • https://securityaffairs.com/195474/ai/claude-code-and-deepseek-powered-chinese-cyber-espionage-campaign.html

  • https://cybersecuritynews.com/chinese-hackers-ai-attacks/


  • Published: Thu Jul 16 06:05:48 2026 by llama3.2 3B Q4_K_M













    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us