AI Becomes the New Cyber Weapon: Chinese-Linked Hackers Use Claude Code and DeepSeek AI to Automate Global Intrusions + Video

Listen to this Post

Featured ImageIntroduction: When Artificial Intelligence Becomes Part of the Attack Team

Cybersecurity researchers have uncovered a sophisticated intrusion campaign that reveals a disturbing evolution in modern cyber warfare: attackers are no longer using artificial intelligence only as a research assistant, but as an active member of their hacking operations.

The investigation began when researchers from Hunt.io followed traces connected to known TencShell command-and-control infrastructure. What they discovered was far more significant than another malware campaign. Hidden behind a single HTTP fingerprint on port 1111 was an entire ecosystem of attack infrastructure, stolen data, exploit development files, phishing templates, and operator notes written in Simplified Chinese.

Inside one exposed directory, researchers found thousands of files that provided an unexpected look into the attackers’ workflow. The evidence showed that AI systems, including Claude Code and DeepSeek-v4-pro, were integrated directly into the operation, helping attackers create phishing pages, generate attack scripts, modify exploits, and improve intrusion methods after failures.

This discovery represents a major turning point in cybersecurity. The question is no longer whether hackers will use AI, but how quickly AI-powered attacks will become normal.

The Hidden Door Into a Global Cyber Operation

A Small Fingerprint Reveals a Massive Campaign

The investigation started with a simple technical clue. Hunt.io researchers discovered a unique HTTP header fingerprint associated with infrastructure previously linked to TencShell command-and-control servers.

Following this digital trail led researchers to 13 servers located in Hong Kong. These servers appeared to be part of a coordinated infrastructure network supporting cyber operations across multiple regions.

The most important discovery came from one of these servers. Instead of being properly secured, it exposed an open directory containing:

2,431 files

80 subdirectories

Victim source code

Custom exploit scripts

Credential harvesting pages

Malware components

Internal operator notes

Attack logs

It was effectively a blueprint of the attackers’ activities.

AI Was Not a Side Tool, It Was the Operator Assistant

Claude Code and DeepSeek-v4-pro Enter the Battlefield

The most unusual part of the campaign was not the malware or infrastructure. It was the attackers’ use of artificial intelligence.

According to Hunt.io researchers, the attackers used two different AI models with separate responsibilities.

Claude Code 2.1.165 appeared to function as an execution assistant. It was used for:

Running Bash commands

Managing long-running sessions

Automating repetitive tasks

Creating phishing infrastructure

Coordinating multiple attack activities

DeepSeek-v4-pro was used more as a reasoning engine. It assisted with:

Generating exploit code

Planning attack methods

Developing scripts

Finding bypass techniques

Improving failed attack attempts

The combination created something new: an AI-assisted cyber operation where one model helped attackers think while another helped execute.

A New Generation of Automated Hacking

From Human Operators to AI-Augmented Attack Teams

Traditional cyber operations required attackers with different skills:

One person researching vulnerabilities

Another writing exploits

Another creating phishing pages

Another managing infrastructure

AI changes this structure.

A smaller group of attackers can now perform tasks that previously required a full team of specialists.

The recovered CLAUDE.md file showed instructions designed to make Claude Code automatically create, test, and improve cloned phishing pages targeting different organizations.

This means AI was not simply answering questions. It was participating in an operational workflow.

The campaign demonstrates a shift from “AI-assisted hacking” toward “AI-integrated hacking.”

Evidence Connects Multiple International Targets

Taiwan, Thailand, Afghanistan, and Beyond

The recovered infrastructure revealed targeting across multiple countries and industries.

The attackers focused heavily on government organizations, technology suppliers, defense-related companies, and financial institutions.

The operation was not random. Each target appeared carefully selected.

Thailand Government System Breach

SQL Injection Leads to Sensitive Employee Data

In Thailand, attackers compromised a government administrative system through SQL injection.

They used tools such as SQLMap to identify and exploit database weaknesses.

After gaining administrative access, they deployed a web shell disguised as a GIF image file.

This allowed persistent remote control over the compromised system.

The stolen database contained:

Employee names

National identification numbers

Government job titles

Researchers found hundreds of files connected to this target, showing that attackers spent significant time inside the environment.

The presence of manually created test entries confirmed the attackers interacted directly with the stolen system.

Afghanistan Citizen Complaint Platform Compromised

Government Data Became an Intelligence Target

Another operation targeted a government complaint submission platform in Afghanistan.

Attackers extracted:

Application source code

Database credentials

Encryption keys

Email infrastructure information

The system was running Laravel 5.8.38.

Using stolen credentials, attackers created custom Python exploits targeting Laravel deserialization vulnerabilities.

Researchers discovered multiple copied versions of the complaint form.

For intelligence operations, access to citizen complaints can provide valuable insight into public concerns, political issues, and government weaknesses.

Taiwan Supply Chain Targets Under Attack

Cloud Credentials and Manufacturing Secrets Exposed

Taiwan-based organizations in supply chain and defense-related sectors were heavily investigated.

Eight organizations were mapped and fingerprinted.

Two were successfully compromised.

One chemical manufacturer was attacked through SQL injection.

Another telecom and edge-device manufacturer suffered exposure after attackers discovered:

Hardcoded Supabase keys

Azure Logic App tokens

Publicly accessible JavaScript secrets

These credentials provided direct access to cloud infrastructure.

The attackers also performed reconnaissance against:

VPN gateways

GitLab systems

Jira environments

Internet-facing services

United States Organizations Appeared in Reconnaissance

Early-Stage Mapping Instead of Confirmed Breaches

The United States appeared in scanning records, but researchers did not confirm successful compromises.

NASA-related domains appeared in reconnaissance data.

Attackers also created fake login pages impersonating:

D.C. Council systems

Delaware County, Pennsylvania services

Some phishing infrastructure was incomplete, suggesting these targets were still being prepared.

Financial Sector Campaign Expanded the Threat

Payment Companies Became Another Major Target

The campaign was not limited to government organizations.

Researchers discovered parallel attacks targeting financial institutions across:

Europe

Australia

Asia

One attacker-controlled server hosted a CORS exploitation page designed to steal WordPress administrator credentials from a large payment processing company.

Researchers later confirmed that some stolen account names matched real employees through public professional information.

This demonstrated a complete attack chain:

Reconnaissance → Exploit → Credential Theft → Account Validation → Further Access

Infrastructure Analysis Reveals Possible Chinese Connection

Hong Kong Servers and Shared Attack Infrastructure

All 13 identified servers were hosted in Hong Kong across several providers.

Researchers discovered several important connections:

Shared SSH fingerprints

Identical TLS certificates

Similar reconnaissance tools

Chinese language documentation

Shanghai references inside certificates

Two servers identified themselves as “Gshell C2,” suggesting another command-and-control framework operating alongside TencShell.

Hunt.io believes with moderate confidence that both systems may belong to the same threat actor group.

New Linux Malware Targets Cloud and Messaging Credentials

Multi-Platform Malware Shows Advanced Capability

Researchers discovered previously unknown Linux malware samples.

One ARM 32-bit version communicated through WebSocket connections.

The malware could steal:

Tencent QQ credentials

Enterprise messaging tokens

Cloud service access keys

Cryptographic information

Another Linux/x86 version used the Go obfuscation tool Garble to hide internal functions.

Both versions shared the same encryption key, suggesting they came from the same development environment.

Deep Analysis: Understanding the Technical Attack Chain

Reconnaissance Commands Used by Attackers

Attackers relied on automated discovery tools to map vulnerable targets.

Example reconnaissance commands:

nmap -sV -p 80,443,22 target.com

Used to identify open services.

subfinder -d target.com

Used for subdomain discovery.

curl -I https://target.com

Used for HTTP fingerprinting.

SQL Injection Testing

Attackers used SQLMap for automated database exploitation.

Example:

sqlmap -u "https://target.com/page?id=1" --dbs

The goal:

Identify vulnerable parameters

Extract database structures

Access sensitive records

Web Shell Deployment

After gaining access, attackers often upload hidden scripts.

Example:

<?php system($_GET['cmd']); ?>

This provides remote command execution.

Cloud Credential Discovery

Attackers searched exposed code repositories and JavaScript files:

grep -r "API_KEY" .

grep -r TOKEN .

grep -r SECRET .

Hardcoded credentials remain one of the most common causes of cloud compromise.

Malware Communication Pattern

The discovered malware used WebSocket communication:

Victim Machine

|
|

WebSocket Channel

|
|

Command & Control Server

This allows attackers to maintain interactive control while hiding traffic inside normal web communication.

What Undercode Say:

AI Has Changed the Economics of Cybercrime

Artificial intelligence is lowering the barrier for advanced cyber operations.

Attackers no longer need every specialist skill internally.

A smaller team with AI assistance can now perform reconnaissance, exploitation, phishing creation, and malware development faster.

The Most Dangerous Change Is Automation

The biggest concern is not that AI creates malware.

The bigger concern is that AI can continuously improve attacks.

A failed exploit attempt can now become feedback for another AI-generated attempt.

This creates an attack cycle that is faster than traditional human-only operations.

Cybersecurity Teams Face a New Reality

Defenders must prepare for attackers who can:

Generate phishing pages instantly

Adapt exploits automatically

Analyze defenses in real time

Create custom malware variants

Security strategies built only around known indicators will become weaker.

AI Security Must Become a Priority

Organizations are investing heavily in AI productivity tools.

However, they must also consider AI abuse scenarios.

The same technology helping employees write code can help attackers understand vulnerabilities.

The Use of Multiple AI Models Is Significant

The attackers separating reasoning and execution between different models shows a more mature approach.

One AI plans.

Another AI acts.

This resembles how human cyber teams operate.

Governments Are Becoming Prime Intelligence Targets

Government systems contain information about:

Citizens

Policies

Procurement

Infrastructure

Internal communications

These targets provide long-term strategic value.

Supply Chains Are Increasingly Vulnerable

Attackers are not always targeting major companies directly.

They often compromise smaller suppliers because they provide access to larger ecosystems.

Cloud Secrets Remain a Major Weakness

Hardcoded credentials continue to expose organizations despite years of warnings.

Security teams must treat every public code leak as a potential breach.

Malware Development Is Becoming More Flexible

The discovery of ARM and x86 malware shows attackers are adapting to modern infrastructure.

Linux environments are increasingly attractive because they power:

Cloud servers

Containers

Enterprise systems

AI Will Create a Cyber Arms Race

Attackers are already experimenting.

Defenders must also use AI for:

Threat detection

Automated response

Vulnerability analysis

Incident investigation

The future of cybersecurity will be AI versus AI.

Prediction

(+1) AI-Powered Cyber Operations Will Become More Common 🚀

Artificial intelligence will increasingly become integrated into both offensive and defensive cybersecurity.

More threat groups will use AI agents to automate reconnaissance, exploit development, phishing creation, and malware adaptation.

Organizations that adopt AI-powered security tools early will have a significant advantage.

(+1) Security Teams Will Build AI Defense Agents

Companies will increasingly deploy autonomous systems capable of monitoring networks, investigating suspicious activity, and responding faster than human teams.

(-1) Smaller Organizations Will Face Growing Risk ⚠️

Companies without advanced security resources may struggle against AI-assisted attackers.

The gap between well-protected organizations and vulnerable organizations will likely increase.

✅ Confirmed: Hunt.io researchers documented an intrusion campaign involving exposed infrastructure, AI-assisted tooling, malware samples, and international targeting patterns.

✅ Confirmed: The investigation identified the use of Claude Code and DeepSeek-v4-pro within attacker workflows, showing AI integration into cyber operations.

❌ Not Fully Proven: Attribution to a specific Chinese government organization remains unconfirmed. Evidence suggests China-linked activity, but definitive responsibility has not been publicly established.

▶️ Related Video (72% Match):

🕵️‍📝Let’s dive deep and fact‑check.

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

References:

Reported By: securityaffairs.com
Extra Source Hub (Possible Sources for article):
https://www.quora.com/topic/Technology
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube