Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

Suspected Chinese Operators Use Claude Code and DeepSeek to Breach Government Systems Across Four Countries

0
Medium
Published: 07/14/2026 (07/14/2026, 21:17:46 UTC)
Source: AlienVault OTX General

Description

In June 2026, a suspected Chinese threat actor campaign used AI language models and custom tools to breach government systems in Afghanistan, Thailand, Taiwan, and conduct reconnaissance on U.S. government portals. The attackers leveraged TencShell implants, webshells, and custom exploits including SQL injection and Laravel deserialization to compromise administrative systems and exfiltrate sensitive data such as citizen complaints and government employee information. The campaign also targeted financial services firms across Europe, Australia, and Asia. Infrastructure analysis revealed open directories on Hong Kong-based servers containing victim source code, exploits, operational logs, and cloned login pages with Simplified Chinese notes. The operation utilized AI-powered tools Claude Code and DeepSeek-v4-pro for attack automation and logic execution.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/15/2026, 14:35:14 UTC

Technical Analysis

This intrusion campaign, attributed to suspected Chinese operators, employed AI language models (Claude Code) and DeepSeek-v4-pro to automate attacks against government and financial sectors across multiple countries. The attackers used TencShell C2 nodes and implants, webshells, and custom exploits such as SQL injection and Laravel deserialization to gain administrative access and exfiltrate sensitive data. Infrastructure pivoting revealed thirteen Hong Kong-based servers with open directories exposing victim source code, custom exploits, operational logs, and cloned login pages annotated in Simplified Chinese. Targets included government systems in Afghanistan, Thailand, Taiwan, and reconnaissance against U.S. government portals, as well as financial services firms in Europe, Australia, and Asia. The campaign combined multiple attack techniques including phishing, supply chain targeting, and credential access.

Potential Impact

Successful exploitation resulted in administrative system compromise and exfiltration of sensitive government data including citizen complaints and government employee information. The campaign also conducted reconnaissance on U.S. government portals and targeted financial services firms internationally, indicating potential for broader operational impact. The use of custom implants and exploits demonstrates a sophisticated threat capable of persistent access and data theft.

Mitigation Recommendations

No specific patches or fixes are available as this is an active intrusion campaign using custom tools and exploits. Organizations should review their exposure to the described attack techniques (SQL injection, Laravel deserialization, webshells, implants) and strengthen detection and response capabilities accordingly. Since this is not a cloud service, remediation depends on affected organizations applying relevant security controls and incident response. Patch status is not yet confirmed — check vendor advisories and threat intelligence updates for any emerging fixes or mitigations.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://hunt.io/blog/chinese-operators-claude-deepseek-government-intrusion"]
Adversary
null
Pulse Id
6a56a77a59a4d2b99d9aa87f
Threat Score
null

Indicators of Compromise

Ip

ValueDescriptionCopy
ip112.213.124.159
ip134.122.200.153
ip134.122.200.154
ip134.122.200.155
ip192.229.115.229
ip45.64.52.242
ip192.238.134.166
ip112.213.124.132
ip112.213.124.163
ip134.122.200.114
ip134.122.200.115
ip134.122.200.116
ip192.163.167.10
ip192.163.167.5
ip192.163.167.6
ip192.163.167.7
ip192.229.115.230
ip38.55.105.143
ip45.64.52.245
ip45.64.52.246

Hash

ValueDescriptionCopy
hash90b7b2c6f3d05234dc55678243039d7e51f0d54190239e5234a0005533337dc8
hash050b84a0d6105a98f443f0165368cc1c
hash4da236de055bfaf08ee21fb6b88442b4
hash1cac633d290a876fc1ead63c58de48575b67b1fc
hash66049dd42a29dde7481d5ca2951efec27214ce15
hash03f26cbfa3ca15fcb43f512aa4041732beeec267f9d1dc74a11f7b0bb32e86bb
hash2954639be599f23c2229a9743aba09a1d9d11bf2becc62bf353384437db37dee
hash64107e3e0a333f685d1be6386426223a030c4126ac7c295aa7b1d54c508bbace
hash643de2a1cf9148b896efecf560c9476fa56118ec477c4e15eb5c2da4b318061f
hashad1a0b3e22a10a2bd680b773b178a0d3824cfcbdf3551016f3d052a0b823079f

Threat ID: 6a5796db68715ace43de0ce7

Added to database: 07/15/2026, 14:19:07 UTC

Last enriched: 07/15/2026, 14:35:14 UTC

Last updated: 07/15/2026, 16:08:57 UTC

Views: 19

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses