Suspected Chinese Operators Target Government and Financial Systems in Four Countries Using Claude Code and DeepSeek

    Date: 07/15/2026

    Severity: High

    Summary

    A suspected China-linked threat actor used the TencShell backdoor alongside Claude Code and DeepSeek-v4-pro to automate cyberespionage operations targeting government and financial systems. The recovered infrastructure contained exploit scripts, victim data, and AI-generated phishing pages used to harvest credentials, while Claude Code managed execution and persistence and DeepSeek assisted with exploit development and reasoning. The campaign targeted organizations in Afghanistan, Thailand, Taiwan, and the United States, highlighting the growing use of AI to enhance offensive cyber operations.  

    Indicators of Compromise (IOC) List 

    IP Address

    112.213.124.163

    192.238.134.166

    134.122.200.153

    192.229.115.229

    45.64.52.245

    134.122.200.154

    112.213.124.159

    45.64.52.242

    38.55.105.143

    45.64.52.246

    112.213.124.132

    134.122.200.155

    192.229.115.230

    192.163.167.5

    192.163.167.7

    134.122.200.114

    134.122.200.115

    192.163.167.6

    192.163.167.10

    134.122.200.116

    Hash

    90b7b2c6f3d05234dc55678243039d7e51f0d54190239e5234a0005533337dc8

    643de2a1cf9148b896efecf560c9476fa56118ec477c4e15eb5c2da4b318061f

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    dstipaddress IN ("112.213.124.163","192.238.134.166","112.213.124.132","192.163.167.6","134.122.200.116","192.229.115.229","134.122.200.154","192.163.167.7","45.64.52.242","45.64.52.245","192.229.115.230","134.122.200.114","112.213.124.159","134.122.200.153","38.55.105.143","134.122.200.155","192.163.167.5","45.64.52.246","134.122.200.115","192.163.167.10") or srcipaddress IN ("112.213.124.163","192.238.134.166","112.213.124.132","192.163.167.6","134.122.200.116","192.229.115.229","134.122.200.154","192.163.167.7","45.64.52.242","45.64.52.245","192.229.115.230","134.122.200.114","112.213.124.159","134.122.200.153","38.55.105.143","134.122.200.155","192.163.167.5","45.64.52.246","134.122.200.115","192.163.167.10")

    Detection Query 2 :

    sha256hash IN ("643de2a1cf9148b896efecf560c9476fa56118ec477c4e15eb5c2da4b318061f","90b7b2c6f3d05234dc55678243039d7e51f0d54190239e5234a0005533337dc8")

    Reference:    

    https://hunt.io/blog/chinese-operators-claude-deepseek-government-intrusion#Key_Findings                   


    Tags

    Threat ActorChinaBackdoorDeepSeekCyber EspionageGovernment Services and FacilitiesFinancial ServicesExploitPhishingCredential HarvestingAIAfghanistanThailandTaiwanUnited StatesMalware

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags