Hunt.io Finds Claude Code and DeepSeek in an Active Intrusion Toolkit
Hunt.io says an exposed operator directory revealed Claude Code and DeepSeek-v4-pro being used inside a suspected China-linked intrusion workflow targeting government and commercial systems. The researchers attribute confirmed compromises in Afghanistan, Thailand, and Taiwan to the observed campaign, while describing U.S. activity as reconnaissance and phishing preparation rather than a confirmed breach. The evidence is a single firm's technical investigation, not independent attribution. LDS focuses on the defensive signal: security teams should monitor agent runtimes, model endpoints, shell execution, credential access, and long-lived sessions together, because model traffic alone cannot distinguish legitimate development from an AI-assisted attack chain.
What happened
Hunt.io says it found an exposed directory containing operator logs, exploit scripts, phishing pages, victim files, malware, and a split-model workflow using Claude Code and DeepSeek-v4-pro. The researchers linked the directory to infrastructure associated with TencShell and assessed the operators as suspected China-linked.
The report attributes confirmed compromises in Afghanistan, Thailand, and Taiwan to the observed activity. It describes U.S. government systems as reconnaissance and phishing-preparation targets, not confirmed compromises. Hunt.io says affected organizations and national incident-response teams were notified before publication. GBHackers summarized the findings, but its report relies on Hunt.io rather than independently reproducing the investigation.
Security context
The important change is operational integration. Hunt.io says Claude Code handled execution and persistent sessions while DeepSeek-v4-pro supplied reasoning and exploit adaptation. That does not mean either model independently initiated the campaign, and the report does not establish that every operator action was autonomous. It shows that general-purpose agent tooling can become part of the same workflow as reconnaissance, code analysis, exploitation, credential theft, and phishing development.
| Defensive layer | Evidence to correlate | Useful control |
|---|---|---|
| Agent runtime | Long sessions, tool calls, workspace access | Approved binaries and process monitoring |
| Model access | Unusual endpoints, tokens, or request volume | Egress policy and account-level alerts |
| Shell activity | Reconnaissance, exploit retries, bulk file access | Command telemetry and least privilege |
| Credentials | Cloud keys, session tokens, messaging secrets | Secret scanning and rapid revocation |
| Infrastructure | Reused certificates, keys, headers, and ports | Threat-intelligence matching and containment |
For practitioners
A useful detection strategy should correlate behavior across these layers. Blocking a model domain may miss locally routed or compatible endpoints, while alerting on every coding-agent process will overwhelm teams that legitimately use them. Higher-confidence detections combine an agent runtime with suspicious shell commands, sensitive-file access, credential use, network scanning, or persistence.
Teams should also separate attribution confidence from response urgency. Even if the suspected national link remains unconfirmed, exposed credentials, web shells, cloned login pages, and active command infrastructure warrant incident handling. Hunt.io's published indicators can support hunting, but defenders should validate them against their own telemetry and time window before blocking.
Editorial analysis
LDS sees the report as evidence that AI-assisted intrusion is becoming an observability problem, not a special new category of malware. The defensive unit is the complete agent-to-tool chain: identity, model endpoint, command execution, filesystem access, network activity, and resulting changes.
What to watch
Watch for independent confirmation, additional affected organizations, vendor abuse mitigations, public incident-response findings, and detection rules that distinguish authorized agent use from exploitation workflows.
Key Points
- 1Hunt.io reports Claude Code and DeepSeek-v4-pro were integrated into a suspected China-linked intrusion workflow rather than used only for drafting.
- 2The report distinguishes confirmed compromises in three countries from U.S. reconnaissance and phishing preparation, where no compromise was established.
- 3LDS recommends correlating agent, model, shell, credential, and network telemetry instead of treating model access as a sufficient detection signal.
Scoring Rationale
An impact score of 7.0 reflects detailed evidence of models embedded in an active intrusion workflow, tempered by single-origin attribution and limited independent confirmation.
Sources
Primary source and supporting public references used for this report.
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems

