Chinese threat actors have been leveraging Claude Code and DeepSeek to orchestrate a sophisticated cyber espionage campaign, compromising government systems and financial institutions. The operation was uncovered by Hunt.io researchers in June 2026, who discovered an open directory on a Hong Kong-based server containing a trove of sensitive information, including victim source code, custom exploit scripts, and operator logs written in Simplified Chinese. The researchers stumbled upon the campaign while investigating known TencShell command-and-control infrastructure, ultimately tracing the activity to 13 Hong Kong-based servers. The use of Claude Code and DeepSeek has enabled the attackers to automate their efforts, making the campaign more efficient and potentially more damaging. The discovery of this campaign highlights the growing concern of state-sponsored cyber espionage, particularly when powered by advanced tools like Claude Code and DeepSeek1. This matters to security practitioners as it underscores the need for enhanced monitoring and detection capabilities to counter such sophisticated threats.
Claude Code and DeepSeek Powered Chinese Cyber Espionage Campaign
⚡ High Priority
Why This Matters
Hunt.io researchers stumbled onto an active intrusion campaign in June 2026 while pivoting on known TencShell command-and-control infrastructure.
References
- SecurityAffairs. (2026, July 16). Claude Code and DeepSeek Powered Chinese Cyber Espionage Campaign. *SecurityAffairs*. https://securityaffairs.com/195474/ai/claude-code-and-deepseek-powered-chinese-cyber-espionage-campaign.html
Original Source
SecurityAffairs
Read original →