Chinese actors use Claude Code and DeepSeek to automate cyber espionage

Security researchers uncovered state-sponsored operators using Claude Code and DeepSeek models to automate intelligence gathering and maintain persistent access to government networks

CSBadmin
1 Min Read

Chinese state-linked cyber operators are using Anthropic Claude Code and China DeepSeek AI models to automate intrusions against government agencies and financial firms across multiple countries, according to research published by Hunt.io.

Researchers stumbled onto the active campaign in June 2026 while pivoting on known TencShell command-and-control infrastructure. A single HTTP header fingerprint led them to 13 Hong Kong-based servers containing victim source code, custom exploit scripts, cloned login pages, and operator logs written in Simplified Chinese.

Claude Code handled execution, running Bash commands, managing long-running sessions, and creating phishing infrastructure. DeepSeek-v4-pro handled the planning, generating scripts, choosing attack techniques, and finding new ways to bypass defenses when earlier attempts failed.

In Thailand, attackers exploited a government administrative system through SQL injection and deployed a web shell disguised as a GIF file. In Afghanistan, government web application source code and database credentials were stolen. In Taiwan, eight organizations in supply chain and defense-adjacent sectors were mapped. A parallel campaign hit financial services firms across Europe, Australia, and Asia.

CSBadmin

The latest in cybersecurity news and updates.

Share This Article
Follow:
The latest in cybersecurity news and updates.