A newly uncovered cyber-espionage campaign linked to Chinese actors is using commercial AI coding tools to automate intrusions that have breached government systems and targeted financial institutions, according to security researchers.
The active operation was identified in June 2026 by threat intelligence firm Hunt.io and reported by Security Affairs. It marks a significant operational shift, showing artificial intelligence being directly integrated into the attack lifecycle to speed up reconnaissance, payload creation, and infrastructure management.
The Hunt: A Digital Thread Through Hong Kong
The discovery originated not from an alert, but from proactive threat hunting. While tracing infrastructure tied to the TencShell command-and-control framework—a toolset used by advanced threat actors—researchers spotted a unique HTTP header fingerprint on port 1111.
That single indicator became the thread that, when pulled, revealed a network. It led to a cluster of 13 servers all hosted in Hong Kong. Analysis of these systems confirmed they were part of an active campaign orchestrated against both government and financial sector targets. Researchers note that the specific locations of the targeted institutions within those sectors were not disclosed in the public report.
AI Tools as Force Multipliers
The core of the operation leveraged widely available AI platforms. According to the analysis, the attackers deployed Anthropic's Claude Code and the open-source DeepSeek model as automated co-pilots within their workflow.
These tools reportedly assisted in generating malicious code and scripting payloads, potentially even aiding in the logic for command-and-control communication. This use of mainstream AI allows attackers to rapidly iterate and modify their toolset, creating a dynamic threat that can elude signature-based defenses. The campaign demonstrates that AI is no longer a theoretical concern but an active component in the offensive playbooks of advanced groups.
From Signatures to Behavior
A key takeaway is that this campaign was uncovered through behavioral analysis, not malware signatures. The unique network fingerprint that led to the discovery is a prime example of an infrastructure-based indicator.
Researchers argue this underscores a defensive paradigm shift. Security teams are urged to focus on monitoring internal network activity for anomalies and to develop capabilities for this type of infrastructure-centric threat hunting. The use of common commercial AI tools also complicates attribution and requires new intelligence frameworks to distinguish between human-operated and AI-assisted activity.
Ultimately, the campaign is a clear signal that offensive cyber operations are evolving. The integration of AI as an automated ally by threat actors is creating adaptive, efficient threats, pushing the cybersecurity community to accelerate its own adoption of advanced, behavior-focused defense strategies.
安全研究人員披露,一項新近發現、與中國行為者相關的網絡間諜行動,正利用商業AI編碼工具自動化入侵操作,已成功滲透政府系統並針對金融機構發動攻擊。
威脅情報公司 Hunt.io 於2026年6月識別出這個活躍行動,並由 Security Affairs 進行報導。此事件標誌著顯著的運作模式轉變,顯示人工智能正被直接整合到攻擊生命週期中,以加速偵察、惡意載荷製作及基礎設施管理流程。
追蹤:穿過香港的數碼線索
發現源於主動威脅追蹤而非警報。研究人員在追溯與 TencShell 命令與控制框架(一套進階威脅行為者使用的工具組)相關的基礎設施時,於1111端口發現了獨特的HTTP標頭指紋。
該單一指標成為一拉即現網絡全貌的線索,指向集群在港託管的13台伺服器。分析證實這些系統屬於針對政府及金融部門目標的活躍行動一部分。研究人員指出,公開報告中未披露被針對機構在上述部門的具體位置。
AI工具成為力量倍增器
行動核心利用了廣泛可用的AI平台。分析顯示,攻擊者部署了Anthropic的Claude Code與開源DeepSeek模型作為自動化協作工具,整合於其工作流程中。
據報這些工具協助生成惡意代碼與惡意載荷腳本,甚至可能輔助命令與控制通訊邏輯。運用主流AI使攻擊者能快速迭代修改工具組,創造出能規避基於特徵碼防禦的動態威脅。此行動證明AI已不再是理論性威脅,而是進階組織攻擊劇本中的實戰組件。
從特徵碼轉向行為分析
關鍵要點在於此行動是透過行為分析而非惡意軟件特徵碼被揭露。導致發現的獨特網絡指紋,是基於基礎設施的威脅指標典型範例。
研究人員強調這突顯了防禦範式的轉變。安全團隊應專注監控內部網絡活動異常,並發展此類以基礎設施為核心的威脅追蹤能力。常見商業AI工具的使用也增加歸因難度,需要新的情報框架來區分人類操作與AI輔助活動。
歸根究底,此行動明確發出信號:進攻性網絡行動正在演進。威脅行為者整合AI作為自動化盟友,正催生適應性強、效率高的威脅,迫使網絡安全社群加速採納以行為為本的先進防禦策略。
