Anthropic AI-orchestrated Campaign
The Anthropic AI-orchestrated Campaign was conducted in September 2025 by a likely China nexus espionage actor identified as GTG-1002. The Anthropic AI-orchestrated Campaign was a highly coordinated operation that manipulated Claude Code to perform reconnaissance, vulnerability discovery, exploitation, lateral movement, credential harvesting, data analysis, and exfiltration operations at approximately 30 entities in the technology, financial, chemical, and government sectors. During the Anthropic AI-orchestrated Campaign, human operators used Claude Code agents and Model Context Protocol (MCP) tools to automate cyber operations. Operators broke attacks into discrete tasks, used crafted prompts, and established personas to bypass AI guardrails, enabling the agents to execute the operations with minimal human involvement.[1][2]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1087 | Account Discovery |
During the Anthropic AI-orchestrated Campaign, the adversary used Claude Code to query internal database user account tables to enumerate accounts and identify high-privilege accounts within compromised environments.[1] |
|
| Enterprise | T1595 | .001 | Active Scanning: Scanning IP Blocks |
During the Anthropic AI-orchestrated Campaign, the adversary used Claude Code to scan infrastructure across IP ranges associated with the target organization.[1] |
| .002 | Active Scanning: Vulnerability Scanning |
During the Anthropic AI-orchestrated Campaign, the adversary used Claude Code to scan target infrastructure to identify potential vulnerabilities and to enumerate services and endpoints.[1] |
||
| Enterprise | T1119 | Automated Collection |
During the Anthropic AI-orchestrated Campaign, the adversary used Claude Code to automatically collect and process large volumes of data from without human direction.[1] |
|
| Enterprise | T1584 | .004 | Compromise Infrastructure: Server |
During the Anthropic AI-orchestrated Campaign, the adversary operated dedicated penetration testing servers accessible via MCP to support remote command execution, simultaneous tool coordination, and persistent operational state maintenance across campaign sessions.[1] |
| Enterprise | T1136 | .001 | Create Account: Local Account |
During the Anthropic AI-orchestrated Campaign, the adversary used Claude Code to create a local backdoor account to maintain access.[1] |
| Enterprise | T1213 | .006 | Data from Information Repositories: Databases |
During the Anthropic AI-orchestrated Campaign, the adversary used Claude Code to query internal databases and systems to extract proprietary information, system configurations, and sensitive operational data. [1] |
| Enterprise | T1005 | Data from Local System |
During the Anthropic AI-orchestrated Campaign, the adversary tasked Claude Code to automatically gather sensitive data stored within the local system to include credentials, system configurations and sensitive operational data.[1] |
|
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
During the Anthropic AI-orchestrated Campaign, the adversary used Claude Code to stage extracted data and operational documentation in structured markdown files on local systems prior to exfiltration.[1] |
| Enterprise | T1587 | .004 | Develop Capabilities: Exploits |
During the Anthropic AI-orchestrated Campaign, the adversary used Claude Code to research exploitation techniques for an identified SSRF vulnerability, to generate a tailored custom attack payload, and to develop a full exploit chain prior to deployment.[1] |
| Enterprise | T1567 | Exfiltration Over Web Service |
During the Anthropic AI-orchestrated Campaign, the adversary utilized Claude Code to generate a detailed summary report of collected data, which is then reviewed and approved by the adversary prior to exfiltration of data over Claude.[1] |
|
| Enterprise | T1190 | Exploit Public-Facing Application |
During the Anthropic AI-orchestrated Campaign, the adversary used Claude Code to deploy a custom exploit payload targeting an identified SSRF vulnerability to gain initial access to a targeted environment.[1] |
|
| Enterprise | T1083 | File and Directory Discovery |
During the Anthropic AI-orchestrated Campaign, the adversary leveraged Claude Code to identify sensitive data within the victim environment for extraction.[1] |
|
| Enterprise | T1592 | .002 | Gather Victim Host Information: Software |
During the Anthropic AI-orchestrated Campaign, the adversary utilized Claude Code to catalog services and data on discovered endpoints.[1] |
| .004 | Gather Victim Host Information: Client Configurations |
During the Anthropic AI-orchestrated Campaign, the adversary leveraged Claude Code to gather details of high-value systems to include databases and workflow orchestration platforms.[1] |
||
| Enterprise | T1590 | .004 | Gather Victim Network Information: Network Topology |
During the Anthropic AI-orchestrated Campaign, the adversary used Claude Code to map a complete network topology of the target infrastructure.[1] |
| Enterprise | T1683 | Generate Content |
During the Anthropic AI-orchestrated Campaign, the adversary utilized Claude Code to automatically generate comprehensive documentation throughout the phases of the attack, including discovered services, harvested credentials, sensitive data, exploitation techniques, and complete attack progression.[1] |
|
| Enterprise | T1046 | Network Service Discovery |
During the Anthropic AI-orchestrated Campaign, the adversary used Claude Code to enumerate internal network services and endpoints across targeted environments using browser automation via MCP, including databases, container registries, admin interfaces, and workflow orchestration platforms.[1] |
|
| Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
During the Anthropic AI-orchestrated Campaign, the adversary obtained open-source penetration testing tools including network scanners, database exploitation frameworks, password crackers, and binary analysis suites.[1] |
| .007 | Obtain Capabilities: Artificial Intelligence |
During the Anthropic AI-orchestrated Campaign, the adversary obtained access to Claude Code to support cyber intrusion operations.[1] |
||
| Enterprise | T1082 | System Information Discovery |
During the Anthropic AI-orchestrated Campaign, the adversary tasked Claude Code to query databases and systems in order to identify proprietary information, including system configurations and database types.[1] |
|
| Enterprise | T1016 | System Network Configuration Discovery |
During the Anthropic AI-orchestrated Campaign, the adversary configured Claude Code to identify and gather system configurations of discovered devices.[1] |
|
| Enterprise | T1049 | System Network Connections Discovery |
During the Anthropic AI-orchestrated Campaign, the adversary used Claude Code to map internal network architecture and access relationships.[1] |
|
| Enterprise | T1552 | .001 | Unsecured Credentials: Credentials In Files |
During the Anthropic AI-orchestrated Campaign, the adversary used Claude Code to extract authentication certificates stored in system configuration files across compromised environments.[1] |
| Enterprise | T1078 | Valid Accounts |
During the Anthropic AI-orchestrated Campaign, the adversary used harvested credentials to authenticate against internal APIs, database systems, container registries, and logging infrastructure across targeted networks.[1] |
|
| .003 | Local Accounts |
During the Anthropic AI-orchestrated Campaign, the adversary used Claude Code to test credentials harvested against discovered devices.[1] |
||