Chinese state-sponsored hackers are increasingly leveraging advanced artificial intelligence tools in their cyber espionage operations. This development marks a significant shift in the use of AI from passive research tools to active components in cyber attacks.
Integration of AI in Cyber Operations
Claude Code and DeepSeek-v4-pro have been utilized not as supplementary tools, but as integral parts of a China-linked cyber espionage campaign. These AI platforms were embedded directly into the core processes of the operation, according to Hunt researchers.
The campaign, linked to known TencShell command-and-control infrastructure, was first identified in May 2026. It involved the exposure of an open directory containing a variety of sensitive materials, including victim source code and exploit scripts.
Role of AI Tools in the Campaign
Hunt researchers found that Claude Code was responsible for automating tasks such as managing interactive bash environments and maintaining session persistence. Meanwhile, DeepSeek-v4-pro handled high-level reasoning for attacks, including script generation and security evasion logic.
Detailed instructions in the CLAUDE.md workspace showed how these tools constructed and optimized phishing infrastructure, particularly targeting Taiwan-based intelligence needs. This operational flow reflects previous advisories about China’s use of malicious developer tools.
Infrastructure and Global Impact
The infrastructure supporting these operations was remarkably elaborate, involving 13 primary servers across Hong Kong-based networks. The primary node hosted a versatile toolkit for network mapping, vulnerability identification, and remote administration.
Targets of the campaign were diverse, spanning countries like Taiwan, Thailand, Afghanistan, and the United States. Each region faced different attack vectors, from SQL injections to cross-origin resource sharing exploits, tailored to their specific vulnerabilities.
The campaign illustrates a sophisticated threat landscape where attackers use customized exploits and real-time AI-driven evasion techniques to harvest credentials from corporate applications.
Significance and Future Outlook
The use of AI in these cyber operations is a critical development, highlighting the transition of AI tools from research aids to direct contributors in cyber warfare. This raises concerns about the dual-use nature of AI technologies in malicious activities.
The evidence linking the operations to Chinese entities includes the use of simplified Chinese documentation and the geographical distribution of infrastructure. This suggests a strategic alignment with state intelligence objectives.
As AI continues to evolve, its role in cyber threats will likely grow, necessitating new defensive strategies and international cooperation to mitigate risks.
