Chinese state-linked cyber operators are using Anthropic Claude Code and China DeepSeek AI models to automate intrusions against government agencies and financial firms across multiple countries, according to research published by Hunt.io.
Researchers stumbled onto the active campaign in June 2026 while pivoting on known TencShell command-and-control infrastructure. A single HTTP header fingerprint led them to 13 Hong Kong-based servers containing victim source code, custom exploit scripts, cloned login pages, and operator logs written in Simplified Chinese.
Claude Code handled execution, running Bash commands, managing long-running sessions, and creating phishing infrastructure. DeepSeek-v4-pro handled the planning, generating scripts, choosing attack techniques, and finding new ways to bypass defenses when earlier attempts failed.
In Thailand, attackers exploited a government administrative system through SQL injection and deployed a web shell disguised as a GIF file. In Afghanistan, government web application source code and database credentials were stolen. In Taiwan, eight organizations in supply chain and defense-adjacent sectors were mapped. A parallel campaign hit financial services firms across Europe, Australia, and Asia.

