2027 CISO Priorities: Where Security Leaders Are Investing in the AI Era Register Now →

High

CA-26-026: Suspected Chinese State-Sponsored Intrusion Campaign Leveraging Split-Model Agentic AI Architectures

By Adversary Tactics and Intelligence Team

Estimated Reading Time: 8 minutes

Chinese State-Sponsored; Artificial Intelligence; LLM; Agentic Frameworks; Espionage

Source Material: Hunt.io Report | Technology: Edge/Cloud Infrastructure  | Targeted Industries: Government, Financial Services, Supply Chain, Manufacturing

Executive Summary

Threat intelligence analysts have discovered a sophisticated intrusion campaign attributed with high confidence to suspected Chinese state-sponsored operators. Active exploitation was observed against government systems, critical supply chains, and financial infrastructure across Thailand, Taiwan, and Afghanistan, alongside active reconnaissance and phishing staging targeting United States government entities.

This activity marks a significant evolution in adversary tradecraft. Operators actively embedded a “split-model” artificial intelligence architecture into their offensive operations. By pairing the Chinese-developed DeepSeek-v4-pro model for cognitive reasoning with Anthropic’s Claude Code for agentic terminal execution, the attackers automated complex exploit generation, reconnaissance, and infrastructure deployment at machine speeds.

The operators utilized dual command-and-control (C2) frameworks, TencShell and Gshell, deployed from a redundant cluster of servers in Hong Kong. Payloads included cross-compiled Linux/ARM and Linux/x86 malware designed specifically to compromise edge devices and cloud-native environments, targeting identity and access management (IAM) credentials and enterprise messaging tokens. Deepwatch is actively analyzing intelligence associated with this campaign.

Threat Overview and Strategic Impact

The use of a split-model AI architecture allows threat actors to bypass the safety guardrails typical of Western LLMs. The operators leveraged DeepSeek-v4-pro, a model recently flagged by the U.S. government as a profound national security threat tied to the Chinese Communist Party, as their primary logic engine. Available reporting indicators that DeepSeek was utilized to analyze target environments, conceptualize security bypasses, and dynamically rewrite exploit scripts in real-time when initial intrusion attempts failed against hardened targets.

By isolating the restricted reasoning tasks to DeepSeek, the operators successfully weaponized Claude Code (v2.1.165) as their execution handler. Intelligence indicates the attackers fed Claude Code deceptive persona prompts to bypass its alignment training, tricking the model into operating as an authorized security tester. Once unconstrained, Claude reportedly acted as an autonomous agent to execute arbitrary bash commands on compromised Linux hosts, maintain session persistence, parallelize tasks across endpoints, and autonomously develop and deploy credential-harvesting phishing portals.

The campaign’s physical infrastructure relied on 13 synchronized Virtual Private Servers in Hong Kong, primarily across the MEGA-II IDC network. The primary node (112.213.124[.]132) hosted the overarching attack workflow, utilizing designated ports for specific operational tools like DeepAudit (Port 3000) and Asset Reconnaissance Lighthouse (Port 5003). The attackers deployed multi-platform Go-based implants, including a statically linked ARM variant (HSEWH-Ur) for IoT and edge devices, and a heavily obfuscated x86 variant (Ar70qICi) masked via the garble compiler tool. Both implants focus heavily on credential theft, specifically extracting Tencent messaging SDK keys and enterprise cloud IAM tokens.

Security Hardening and Recommendations

Organizations should implement defense-in-depth strategies that account for both traditional network observables and novel AI-agentic behaviors:

  • Harden IAM and Credentials: The identified malware targets single sign-on patterns and cloud keys. Implement short-lived OAuth 2.0 tokens, enforce strict Role-Based Access Control (RBAC), and mandate phishing resistant MFA across all external administrative portals.
  • Restrict Registry Run Key Modifications: TencShell establishes persistent execution on Windows systems by creating an autorun registry key under \Software\Microsoft\Windows\CurrentVersion\Run with the value name OneDriveHealthTask. Enforce endpoint security policies that alert on or block unauthorized modifications to standard startup Registry keys, particularly those mimicking legitimate Windows services.
  • Block Masqueraded Web Asset Extensions: Block or alert on web requests fetching executable code masquerading as standard web assets. The TencShell loader leverages the Web Open Font Format (.woff) extension to disguise the download of compiled Donut shellcode over HTTP/S.

Detection Strategy

Standard signature-based detection is insufficient against dynamically generated AI exploits. Defenders should shift focus toward behavioral anomalies and infrastructure telemetry:

  • Detect Automated, Agentic Terminal Activity: Monitor endpoint telemetry for rapid sequences of shell commands that mimic human administrative behavior but execute at machine speeds. Look for anomalous parenting behaviors, such as web servers (apache, nginx, iis) or database processes spawning interactive shells (sh, bash, cmd.exe) that execute rapid-fire environment enumeration, directory traversal, and credential-hunting commands within seconds of each other.
  • Monitor for OneDriveHealthTask Startup Persistence: Monitor for file creations or process executions associated with a registry run key value named OneDriveHealthTask executing outside of standard Microsoft directories.
  • Block Hong Kong C2 Infrastructure: Isolate, block, and alert on traffic communicating with the identified Hong Kong ASNs (MEGA-II IDC, VMISS Inc., CTG Server Limited) where business requirements permit.

How Deepwatch Protects Our Customers

Deepwatch uses Dynamic Risk Scoring (DRS) to combat these AI-driven threats, which can potentially bypass traditional defenses. This strategy directly addresses the need to correlate multiple subtle events into a unified, high-fidelity alert.

Here is how we protect your environment at machine speed:

  • The Risk Cache: Instead of requiring a single event to cross a definitive “alert” threshold, our systems monitor for anomalous and risky behaviors. These events are temporarily stored in a dynamic risk cache.
  • Intelligent Correlation: Our analytics engine continuously evaluates the risk cache. When

multiple lower-level anomalies chain together, their combined risk score escalates.

  • High-Fidelity Alerting: Once the correlated score from these seemingly anomalous activities breaches our dynamic threshold, a single, comprehensive incident alert is generated. This allows our SOC to see the entire attack timeline at once, rather than chasing isolated, confusing events.

By tracking active-exploitation behaviors and correlating events, rather than relying solely on static

signatures, Dynamic Risk Scoring allows us to catch AI-generated attacks, even if they have never

been seen before in the wild.

Relevant Detections

Please visit Security Center to access the relevant detections for this activity.

Threat Hunting Leads

  • Hunt for TLS certificates presenting the subject CN = Gshell Server, O = Gshell C2 on ports 443 and 8083.
  • Analyze external web traffic for high-volume automated scanning indicative of Asset Reconnaissance Lighthouse (ARL) deployments.
  • Review cloud telemetry for abnormal bulk extraction of IAM access keys from edge devices or Linux servers.

Technical Artifacts 

Please visit Security Center to access the associated technical artifacts.

Threat Object Mapping

Intrusion Set:

  •  Suspected Chinese State-Sponsored Actors

Attack Pattern (MITRE ATT&CK/MITRE ATLAS):

TacticTechniqueIDAssociated Threat Activity
ReconnaissanceGather Victim Host InformationT1592Use of Asset Reconnaissance Lighthouse to map target networks.
ReconnaissanceActive ScanningT1595Automated Python scripts scanning external hosts for vulnerabilities.
Resource DevelopmentDevelop Capabilities: MalwareT1587.001AI-augmented dynamic rewriting of custom exploit scripts.
Resource DevelopmentObtain CapabilitiesAML.T0016Acquisition of DeepSeek-v4-pro and Claude Code models.
AI Attack StagingGenerate Malicious CommandsAML.T0102Using DeepSeek as a logic engine to generate bypass commands.
AI Attack StagingGenerate DeepfakesAML.T0088Using Claude Code to automatically generate and clone login portals.
Initial AccessExploit Public-Facing ApplicationT1190Exploiting vulnerabilities in billing platforms and custom CORS exploits.
Initial AccessPhishingAML.T0052Deployment of AI-generated phishing portals to harvest credentials.
ExecutionCommand and Scripting Interpreter: Unix ShellT1059.004Claude Code running arbitrary bash commands on compromised Linux hosts.
ExecutionCommand and Scripting Interpreter: Windows Command ShellT1059.003TencShell executing native shell commands on compromised Windows hosts.
ExecutionDeploy AI AgentAML.T0103Weaponizing the Claude Code framework for autonomous local execution.
ExecutionAI Agent Tool InvocationAML.T0053Claude Code bridging natural language reasoning with native file tools.
ExecutionShared ModulesT1129Go-compiled binaries loading modular framework dependencies.
Defense EvasionReflective Code LoadingT1620Using Donut shellcode to execute the PE payload entirely in memory.
Defense EvasionProcess InjectionT1055Allocating local executable memory buffers to run staged shellcode.
Defense EvasionMasquerading: Masquerade File TypeT1036.008Masking compiled shellcode payloads behind .woff web-font extensions.
Defense EvasionObfuscated Files or InformationT1027Linux malware payload obfuscated using the Go garble compiler.
Defense EvasionLLM JailbreakAML.T0054Using persona prompts to trick Claude Code into bypassing safety guardrails.
Defense EvasionIndicator Removal on Host: File DeletionT1070.004Native implementation of TencShell self-delete routine (Opcode 0x1B).
PersistenceRegistry Run Keys / Startup Folder: Registry Run KeysT1547.001Establishing autorun persistence via the OneDriveHealthTask Registry value.
Privilege EscalationAbuse Elevation Control Mechanism: Bypass UACT1548.002Native implementation of TencShell UAC bypass routine (Opcode 0x31).
Credential AccessUse Alternate Authentication MaterialT1550 / AML.T0091Implants designed to extract Tencent messaging keys and cloud IAM tokens.
CollectionData from Local SystemT1005Exfiltrating host data, browser cookies, and application configuration databases.
CollectionScreen CaptureT1113Executing screen streaming and capturing commands (Opcodes 0x46 & 0x47).
Command and ControlApplication Layer Protocol: Web ProtocolsT1071.001TencShell and Gshell communicating over HTTP/S using custom headers.
Command and ControlNon-Standard PortT1571Statically linked ARM implants beaconing over WebSockets on Port 4081.
Command and ControlProxy: Internal ProxyT1090.001Spawning custom SOCKS5 proxy tunnels through the target host (Opcode 0x14).

Vulnerabilities:

  • Unknown

Malware/Tool:

  • TencShell
  • Gshell
  • HSEWH-Ur
  • Ar70qICi
  • DeepSeek-v4-pro
  • Claude Code (v2.1.165)
  • Asset Reconnaissance Lighthouse
  • DeepAudit

Additional Sources

Share

LinkedIn Twitter Facebook