Suspected Chinese Operators Use Claude Code and DeepSeek to Target Government and Financial Systems Across Four Countries

Suspected Chinese Operators Use Claude Code and DeepSeek to Target Government and Financial Systems Across Four Countries
Researchers traced an active intrusion campaign after pivoting from TencShell C2 infrastructure to an open directory on Hong Kong-based servers that exposed malware, exploit scripts, victim source code, and operator logs. The campaign used Claude Code and DeepSeek-v4-pro to automate reconnaissance, exploit development, phishing, and session management while targeting government and financial organizations across multiple countries. #TencShell #ClaudeCode #DeepSeekv4pro #Gshell #HSEWHUr

Keypoints

  • The investigation began with a pivot from known TencShell C2 infrastructure to an open directory exposing active intrusion tooling.
  • The directory on 112.213.124[.]132 contained victim source code, custom exploit scripts, cloned login pages, operator logs, and malware samples.
  • The infrastructure cluster included 13 Hong Kong-based servers across four ASNs, with shared SSH keys and TLS certificates among multiple hosts.
  • Claude Code and DeepSeek-v4-pro were used operationally in the intrusion, handling execution, reasoning, exploit refinement, phishing page creation, and persistence.
  • Attackers targeted government systems in Afghanistan, Thailand, Taiwan, and the United States, including reconnaissance against NASA and fake U.S. government pages.
  • Additional activity targeted financial services firms, including a CORS-based exploit that extracted WordPress administrator data from a payment processing platform.
  • Evidence suggested a China-linked operator set, based on Simplified Chinese artifacts, Hong Kong infrastructure, and targeted government and supply-chain activity.

MITRE Techniques

  • [T1087 ] Account Discovery – Used to enumerate users and login-related information from targeted systems and cloud services (‘enumeration of cloud service accounts’ and extracting administrator account data).
  • [T1046 ] Network Service Scanning – Used for broad scanning and fingerprinting of government hosts and services across multiple countries (‘scanning of 5,890+ government hosts across 10 countries’ and HTTP service fingerprinting).
  • [T1595 ] Active Scanning – Used to probe targets with DNS, subdomain, GitLab, Jira, webmail, and adjacent IP discovery (‘DNS brute-forcing, certificate transparency queries, adjacent IP discovery, and HTTP service fingerprinting’).
  • [T1110 ] Brute Force – Used in attempts against webmail and password systems, including failed password brute-force activity (‘password brute-forcing’ and ‘failed password brute-force attempts’).
  • [T1190 ] Exploit Public-Facing Application – Used SQL injection and web application exploitation against government and corporate targets (‘successfully attacked via SQL injection’ and ‘achieve remote code execution’).
  • [T1505.003 ] Web Shell – Used a GIF polyglot webshell and JSP/PHP web shells for persistent command execution (‘deployment of a GIF polyglot webshell’ and ‘JSP and PHP web shells’).
  • [T1005 ] Data from Local System – Used to collect victim source code, logs, database dumps, and other files from compromised directories (‘victim source code, exploit scripts, and operator logs’).
  • [T1027 ] Obfuscated Files or Information – Used garble and disguised web shells/images to hide functionality (‘uses garble to strip function and variable names’ and ‘web shells some disguised as images’).
  • [T1552.001 ] Credentials In Files – Used to recover hardcoded keys, tokens, credentials, and config secrets from exposed files (‘hardcoded Supabase anon keys, Azure Logic App SAS tokens’).
  • [T1059.004 ] Unix Shell – Used Claude Code and bash command execution to run tasks and automate operations (‘managing agentic tool use, bash command execution’).
  • [T1105 ] Ingress Tool Transfer – Used malware download and delivery from the open directory and C2 infrastructure (‘HTTP Malware Download’ and binary retrieval via GET requests).
  • [T1071.001 ] Web Protocols – Used WebSocket and HTTP-based communications for malware beacons and operator access (‘beacons over WebSocket’ and HTTP authentication headers).
  • [T1219 ] Remote Access Software – Used legitimate remote tooling such as ARL, Vshell, and DeepAudit as part of the attack environment (‘ARL provides reconnaissance, Vshell provides command and control’).
  • [T1078 ] Valid Accounts – Used harvested credentials and access keys to reach cloud and application accounts (‘cloud service access keys theft’ and ‘recovered credentials’).
  • [T1055 ] Process Injection – Not explicitly confirmed; no direct evidence in the article.

Indicators of Compromise

  • [IP addresses and ports] Open directory and malware delivery infrastructure – 112.213.124[.]132:1111, 112.213.124[.]159:1111, and other Hong Kong-hosted servers
  • [IP addresses and ports] Suspected TencShell/Gshell infrastructure – 192.229.115[.]229:8090, 192.229.115[.]230:8090, 134.122.200[.]153:443, and other related hosts
  • [IP addresses and ports] Possible additional C2 and malware host – 38.55.105[.]143:8088, 192.238.134[.]166:1212
  • [File hashes] Malware samples recovered from the infrastructure – SHA-256 90b7b2c6f3d05234dc55678243039d7e51f0d54190239e5234a0005533337dc8, 643de2a1cf9148b896efecf560c9476fa56118ec477c4e15eb5c2da4b318061f
  • [File names] Recovered malware and sample labels – HSEWH-Ur, 8eA-GlbK, r4l3DqLA, Ar70qICi
  • [Certificates] Gshell-identifying TLS certificate fields – CN = Gshell Server, O = Gshell C2, plus matching certificate SHA-256 2954639BE599F23C2229A9743ABA09A1D9D11BF2BECC62BF353384437DB37DEE
  • [Host artifacts] Network and web infrastructure observed in the directory – Python SimpleHTTP, ARL, Vshell, DeepAudit, and open directory on port 8888


Read more: https://hunt.io/blog/chinese-operators-claude-deepseek-government-intrusion