Suspected Chinese Operators Use Claude Code and DeepSeek to Breach Government Systems Across Four Countries
In June 2026, a suspected Chinese threat actor campaign used AI language models and custom tools to breach government systems in Afghanistan, Thailand, Taiwan, and conduct reconnaissance on U.S. government portals. The attackers leveraged TencShell implants, webshells, and custom exploits including SQL injection and Laravel deserialization to compromise administrative systems and exfiltrate sensitive data such as citizen complaints and government employee information. The campaign also targeted financial services firms across Europe, Australia, and Asia. Infrastructure analysis revealed open directories on Hong Kong-based servers containing victim source code, exploits, operational logs, and cloned login pages with Simplified Chinese notes. The operation utilized AI-powered tools Claude Code and DeepSeek-v4-pro for attack automation and logic execution.
AI Analysis
Technical Summary
This intrusion campaign, attributed to suspected Chinese operators, employed AI language models (Claude Code) and DeepSeek-v4-pro to automate attacks against government and financial sectors across multiple countries. The attackers used TencShell C2 nodes and implants, webshells, and custom exploits such as SQL injection and Laravel deserialization to gain administrative access and exfiltrate sensitive data. Infrastructure pivoting revealed thirteen Hong Kong-based servers with open directories exposing victim source code, custom exploits, operational logs, and cloned login pages annotated in Simplified Chinese. Targets included government systems in Afghanistan, Thailand, Taiwan, and reconnaissance against U.S. government portals, as well as financial services firms in Europe, Australia, and Asia. The campaign combined multiple attack techniques including phishing, supply chain targeting, and credential access.
Potential Impact
Successful exploitation resulted in administrative system compromise and exfiltration of sensitive government data including citizen complaints and government employee information. The campaign also conducted reconnaissance on U.S. government portals and targeted financial services firms internationally, indicating potential for broader operational impact. The use of custom implants and exploits demonstrates a sophisticated threat capable of persistent access and data theft.
Mitigation Recommendations
No specific patches or fixes are available as this is an active intrusion campaign using custom tools and exploits. Organizations should review their exposure to the described attack techniques (SQL injection, Laravel deserialization, webshells, implants) and strengthen detection and response capabilities accordingly. Since this is not a cloud service, remediation depends on affected organizations applying relevant security controls and incident response. Patch status is not yet confirmed — check vendor advisories and threat intelligence updates for any emerging fixes or mitigations.
Indicators of Compromise
- ip: 112.213.124.159
- ip: 134.122.200.153
- ip: 134.122.200.154
- ip: 134.122.200.155
- ip: 192.229.115.229
- ip: 45.64.52.242
- ip: 192.238.134.166
- ip: 112.213.124.132
- hash: 90b7b2c6f3d05234dc55678243039d7e51f0d54190239e5234a0005533337dc8
- ip: 112.213.124.163
- hash: 050b84a0d6105a98f443f0165368cc1c
- hash: 4da236de055bfaf08ee21fb6b88442b4
- hash: 1cac633d290a876fc1ead63c58de48575b67b1fc
- hash: 66049dd42a29dde7481d5ca2951efec27214ce15
- hash: 03f26cbfa3ca15fcb43f512aa4041732beeec267f9d1dc74a11f7b0bb32e86bb
- hash: 2954639be599f23c2229a9743aba09a1d9d11bf2becc62bf353384437db37dee
- hash: 64107e3e0a333f685d1be6386426223a030c4126ac7c295aa7b1d54c508bbace
- hash: 643de2a1cf9148b896efecf560c9476fa56118ec477c4e15eb5c2da4b318061f
- hash: ad1a0b3e22a10a2bd680b773b178a0d3824cfcbdf3551016f3d052a0b823079f
- ip: 134.122.200.114
- ip: 134.122.200.115
- ip: 134.122.200.116
- ip: 192.163.167.10
- ip: 192.163.167.5
- ip: 192.163.167.6
- ip: 192.163.167.7
- ip: 192.229.115.230
- ip: 38.55.105.143
- ip: 45.64.52.245
- ip: 45.64.52.246
Suspected Chinese Operators Use Claude Code and DeepSeek to Breach Government Systems Across Four Countries
Description
In June 2026, a suspected Chinese threat actor campaign used AI language models and custom tools to breach government systems in Afghanistan, Thailand, Taiwan, and conduct reconnaissance on U.S. government portals. The attackers leveraged TencShell implants, webshells, and custom exploits including SQL injection and Laravel deserialization to compromise administrative systems and exfiltrate sensitive data such as citizen complaints and government employee information. The campaign also targeted financial services firms across Europe, Australia, and Asia. Infrastructure analysis revealed open directories on Hong Kong-based servers containing victim source code, exploits, operational logs, and cloned login pages with Simplified Chinese notes. The operation utilized AI-powered tools Claude Code and DeepSeek-v4-pro for attack automation and logic execution.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This intrusion campaign, attributed to suspected Chinese operators, employed AI language models (Claude Code) and DeepSeek-v4-pro to automate attacks against government and financial sectors across multiple countries. The attackers used TencShell C2 nodes and implants, webshells, and custom exploits such as SQL injection and Laravel deserialization to gain administrative access and exfiltrate sensitive data. Infrastructure pivoting revealed thirteen Hong Kong-based servers with open directories exposing victim source code, custom exploits, operational logs, and cloned login pages annotated in Simplified Chinese. Targets included government systems in Afghanistan, Thailand, Taiwan, and reconnaissance against U.S. government portals, as well as financial services firms in Europe, Australia, and Asia. The campaign combined multiple attack techniques including phishing, supply chain targeting, and credential access.
Potential Impact
Successful exploitation resulted in administrative system compromise and exfiltration of sensitive government data including citizen complaints and government employee information. The campaign also conducted reconnaissance on U.S. government portals and targeted financial services firms internationally, indicating potential for broader operational impact. The use of custom implants and exploits demonstrates a sophisticated threat capable of persistent access and data theft.
Mitigation Recommendations
No specific patches or fixes are available as this is an active intrusion campaign using custom tools and exploits. Organizations should review their exposure to the described attack techniques (SQL injection, Laravel deserialization, webshells, implants) and strengthen detection and response capabilities accordingly. Since this is not a cloud service, remediation depends on affected organizations applying relevant security controls and incident response. Patch status is not yet confirmed — check vendor advisories and threat intelligence updates for any emerging fixes or mitigations.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://hunt.io/blog/chinese-operators-claude-deepseek-government-intrusion"]
- Adversary
- null
- Pulse Id
- 6a56a77a59a4d2b99d9aa87f
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip112.213.124.159 | — | |
ip134.122.200.153 | — | |
ip134.122.200.154 | — | |
ip134.122.200.155 | — | |
ip192.229.115.229 | — | |
ip45.64.52.242 | — | |
ip192.238.134.166 | — | |
ip112.213.124.132 | — | |
ip112.213.124.163 | — | |
ip134.122.200.114 | — | |
ip134.122.200.115 | — | |
ip134.122.200.116 | — | |
ip192.163.167.10 | — | |
ip192.163.167.5 | — | |
ip192.163.167.6 | — | |
ip192.163.167.7 | — | |
ip192.229.115.230 | — | |
ip38.55.105.143 | — | |
ip45.64.52.245 | — | |
ip45.64.52.246 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash90b7b2c6f3d05234dc55678243039d7e51f0d54190239e5234a0005533337dc8 | — | |
hash050b84a0d6105a98f443f0165368cc1c | — | |
hash4da236de055bfaf08ee21fb6b88442b4 | — | |
hash1cac633d290a876fc1ead63c58de48575b67b1fc | — | |
hash66049dd42a29dde7481d5ca2951efec27214ce15 | — | |
hash03f26cbfa3ca15fcb43f512aa4041732beeec267f9d1dc74a11f7b0bb32e86bb | — | |
hash2954639be599f23c2229a9743aba09a1d9d11bf2becc62bf353384437db37dee | — | |
hash64107e3e0a333f685d1be6386426223a030c4126ac7c295aa7b1d54c508bbace | — | |
hash643de2a1cf9148b896efecf560c9476fa56118ec477c4e15eb5c2da4b318061f | — | |
hashad1a0b3e22a10a2bd680b773b178a0d3824cfcbdf3551016f3d052a0b823079f | — |
Threat ID: 6a5796db68715ace43de0ce7
Added to database: 07/15/2026, 14:19:07 UTC
Last enriched: 07/15/2026, 14:35:14 UTC
Last updated: 07/15/2026, 16:08:57 UTC
Views: 19
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.