Researchers traced an active intrusion campaign after pivoting from TencShell C2 infrastructure to an open directory on Hong Kong-based servers that exposed malware, exploit scripts, victim source code, and operator logs. The campaign used Claude Code and DeepSeek-v4-pro to automate reconnaissance, exploit development, phishing, and session management while targeting government and financial organizations across multiple countries. #TencShell #ClaudeCode #DeepSeekv4pro #Gshell #HSEWHUr
Keypoints
- The investigation began with a pivot from known TencShell C2 infrastructure to an open directory exposing active intrusion tooling.
- The directory on 112.213.124[.]132 contained victim source code, custom exploit scripts, cloned login pages, operator logs, and malware samples.
- The infrastructure cluster included 13 Hong Kong-based servers across four ASNs, with shared SSH keys and TLS certificates among multiple hosts.
- Claude Code and DeepSeek-v4-pro were used operationally in the intrusion, handling execution, reasoning, exploit refinement, phishing page creation, and persistence.
- Attackers targeted government systems in Afghanistan, Thailand, Taiwan, and the United States, including reconnaissance against NASA and fake U.S. government pages.
- Additional activity targeted financial services firms, including a CORS-based exploit that extracted WordPress administrator data from a payment processing platform.
- Evidence suggested a China-linked operator set, based on Simplified Chinese artifacts, Hong Kong infrastructure, and targeted government and supply-chain activity.
MITRE Techniques
- [T1087 ] Account Discovery â Used to enumerate users and login-related information from targeted systems and cloud services (âenumeration of cloud service accountsâ and extracting administrator account data).
- [T1046 ] Network Service Scanning â Used for broad scanning and fingerprinting of government hosts and services across multiple countries (âscanning of 5,890+ government hosts across 10 countriesâ and HTTP service fingerprinting).
- [T1595 ] Active Scanning â Used to probe targets with DNS, subdomain, GitLab, Jira, webmail, and adjacent IP discovery (âDNS brute-forcing, certificate transparency queries, adjacent IP discovery, and HTTP service fingerprintingâ).
- [T1110 ] Brute Force â Used in attempts against webmail and password systems, including failed password brute-force activity (âpassword brute-forcingâ and âfailed password brute-force attemptsâ).
- [T1190 ] Exploit Public-Facing Application â Used SQL injection and web application exploitation against government and corporate targets (âsuccessfully attacked via SQL injectionâ and âachieve remote code executionâ).
- [T1505.003 ] Web Shell â Used a GIF polyglot webshell and JSP/PHP web shells for persistent command execution (âdeployment of a GIF polyglot webshellâ and âJSP and PHP web shellsâ).
- [T1005 ] Data from Local System â Used to collect victim source code, logs, database dumps, and other files from compromised directories (âvictim source code, exploit scripts, and operator logsâ).
- [T1027 ] Obfuscated Files or Information â Used garble and disguised web shells/images to hide functionality (âuses garble to strip function and variable namesâ and âweb shells some disguised as imagesâ).
- [T1552.001 ] Credentials In Files â Used to recover hardcoded keys, tokens, credentials, and config secrets from exposed files (âhardcoded Supabase anon keys, Azure Logic App SAS tokensâ).
- [T1059.004 ] Unix Shell â Used Claude Code and bash command execution to run tasks and automate operations (âmanaging agentic tool use, bash command executionâ).
- [T1105 ] Ingress Tool Transfer â Used malware download and delivery from the open directory and C2 infrastructure (âHTTP Malware Downloadâ and binary retrieval via GET requests).
- [T1071.001 ] Web Protocols â Used WebSocket and HTTP-based communications for malware beacons and operator access (âbeacons over WebSocketâ and HTTP authentication headers).
- [T1219 ] Remote Access Software â Used legitimate remote tooling such as ARL, Vshell, and DeepAudit as part of the attack environment (âARL provides reconnaissance, Vshell provides command and controlâ).
- [T1078 ] Valid Accounts â Used harvested credentials and access keys to reach cloud and application accounts (âcloud service access keys theftâ and ârecovered credentialsâ).
- [T1055 ] Process Injection â Not explicitly confirmed; no direct evidence in the article.
Indicators of Compromise
- [IP addresses and ports] Open directory and malware delivery infrastructure â 112.213.124[.]132:1111, 112.213.124[.]159:1111, and other Hong Kong-hosted servers
- [IP addresses and ports] Suspected TencShell/Gshell infrastructure â 192.229.115[.]229:8090, 192.229.115[.]230:8090, 134.122.200[.]153:443, and other related hosts
- [IP addresses and ports] Possible additional C2 and malware host â 38.55.105[.]143:8088, 192.238.134[.]166:1212
- [File hashes] Malware samples recovered from the infrastructure â SHA-256 90b7b2c6f3d05234dc55678243039d7e51f0d54190239e5234a0005533337dc8, 643de2a1cf9148b896efecf560c9476fa56118ec477c4e15eb5c2da4b318061f
- [File names] Recovered malware and sample labels â HSEWH-Ur, 8eA-GlbK, r4l3DqLA, Ar70qICi
- [Certificates] Gshell-identifying TLS certificate fields â CN = Gshell Server, O = Gshell C2, plus matching certificate SHA-256 2954639BE599F23C2229A9743ABA09A1D9D11BF2BECC62BF353384437DB37DEE
- [Host artifacts] Network and web infrastructure observed in the directory â Python SimpleHTTP, ARL, Vshell, DeepAudit, and open directory on port 8888
Read more: https://hunt.io/blog/chinese-operators-claude-deepseek-government-intrusion