Hunt.io threat intelligence researchers published documentation of a Chinese state-linked espionage campaign that integrated commercial large language models directly into the attack pipeline — using Claude Code 2.1.165 as an execution and automation engine and DeepSeek-v4-pro as a reconnaissance and planning component. Government administrative systems in Thailand, Afghanistan, Taiwan, and the United States were confirmed breached. Hunt.io notified affected country-level computer emergency response teams before publishing the technical disclosure.
How Claude Code 2.1.165 and DeepSeek-v4-pro Were Used in the Attack Pipeline
The campaign documented by Hunt.io differs from prior AI-in-cyberattacks scenarios in how directly the models were embedded in the attack chain. Claude Code 2.1.165 functioned as a programmable attack automation layer: operators used it to run Bash commands, manage remote sessions, execute parallel tasks, and build phishing infrastructure. DeepSeek-v4-pro served the reasoning and planning functions: identifying defense bypass techniques, conducting reconnaissance analysis, and generating custom attack scripts adapted to each target environment.
This is a human-directed model, not an autonomous AI attack system. The Claude Code and DeepSeek tools appear to have operated as productivity and capability multipliers for human operators — compressing the time and expertise required to execute reconnaissance, infrastructure setup, and custom payload development against multiple target environments simultaneously.
Hunt.io’s analysis identifies the command-and-control infrastructure as “TencShell,” operated from Hong Kong. Attacker workstation documentation recovered during the investigation was written in Simplified Chinese. Hunt.io’s attribution conclusion is that the campaign was conducted by China-based state actors.
Targets Breached and Categories of Data Stolen Across Four Countries
Hunt.io confirmed breaches of government administrative systems in Thailand, Afghanistan, Taiwan, and the United States. The campaign also reached financial services firms in Europe, Australia, and Asia, and supply chain and defense-adjacent organizations in Taiwan.
Data categories stolen across the intrusions include government employee names, national IDs, and job titles; application source code; database credentials; encryption keys; cloud infrastructure access tokens; WordPress administrator credentials; and citizen complaint data from government portals. The breadth of data categories reflects targeting that covers both operational intelligence — employee identity data, credentials, access tokens — and longer-term intelligence value in the form of source code and cloud infrastructure access.
The targeting of Taiwan alongside US government systems carries particular significance given the current geopolitical environment in the region, and the inclusion of Afghanistan in confirmed breached targets adds a second US-adjacent government to the list.
TencShell C2 Infrastructure and Hunt.io’s Attribution Evidence
Hunt.io’s attribution to China-based state actors rests on several infrastructure and documentary indicators identified during the investigation. The TencShell command-and-control infrastructure operates from Hong Kong. Attacker workstation documentation was in Simplified Chinese. The analysis also identifies shared infrastructure characteristics consistent with China-based state actor operations.
Hunt.io notified affected country-level CERTs before making the research public. The public disclosure on July 16 followed that earlier CERT notification, providing a window for affected governments to respond before the technical details became public.
This campaign is operationally distinct from prior AI-adjacent incidents covered in earlier briefs. The JADEPUFFER ransomware operation documented separately used an AI system autonomously exploiting a remote code execution vulnerability; the current campaign used Claude Code and DeepSeek as human-directed tools embedded in a human operator’s workflow. The distinction matters for how defenders characterize and detect AI-assisted attacks: JADEPUFFER required detecting autonomous AI behavior; this campaign requires detecting human operator activity that happens to use AI tools for automation and reasoning.
Why AI-Assisted Espionage Complicates Behavioral Detection for Defenders
Claude Code’s legitimate function is generating and executing Bash commands, managing terminal sessions, and automating developer tasks. When a threat actor uses Claude Code to run attack commands against target systems, the behavioral pattern produced by the AI tool — Bash execution, remote session management, parallel task orchestration — is structurally similar to the pattern produced by a developer or system administrator using the same tool for legitimate purposes.
This presents a detection challenge distinct from traditional attack tooling. Behavioral detection rules calibrated to flag unusual Bash execution patterns must now account for the possibility that the pattern was generated by an AI code execution tool rather than a human typing commands directly. Defenders who identify AI tool usage artifacts in a target environment — logs referencing Claude Code, API call patterns characteristic of LLM-orchestrated execution — may find those artifacts more useful as an indicator of AI-assisted attack activity than traditional command pattern analysis.
The use of two separate commercial LLMs in the same operation — one for execution, one for reasoning — also reflects a developing attacker practice of assembling attack pipelines from commercially available AI infrastructure rather than building custom tools, which limits some of the traditional infrastructure tracking approaches used to attribute and track threat actors.
