Redazione RHC : 14 November 2025 08:01
An analysis conducted in recent months had highlighted how the evolution of artificial intelligence systems was reaching a critical point for cybersecurity, with capabilities doubling in just six months .
At the same time, monitoring of real-world attacks showed increasing use of AI by malicious actors . Rapid progress was expected, but the speed and scale of its occurrence exceeded expectations.
In mid-September 2025, anomalous activity caught the attention of researchers, later revealed to be an advanced espionage campaign . The attackers had for the first time adopted widespread use of the ” agentic ” functions of AI models, delegating them to autonomously perform computing operations, not just support tasks.
Investigations have attributed this operation with a high degree of certainty to a group linked to Chinese state interests. The threat actor misused Claude Code, transforming it into a component of their own offensive framework, with which they attempted to breach approximately thirty targets worldwide . In some cases, access was successful. The targets included large technology companies, financial institutions, chemical companies, and government agencies. According to analysts, this is the first documented example of a large-scale cyberattack conducted almost entirely without human supervision.
Once the campaign was detected, immediate investigations were initiated. Over the next ten days, while the scope and operational methods of the attack were determined, compromised accounts were progressively blocked, potentially involved organizations were informed when appropriate, and authorities were contacted to collaborate on the investigation.
The episode highlights the risks associated with the spread of AI “agents”: systems capable of operating autonomously for extended periods, carrying out complex tasks, and chaining actions without constant human intervention . These tools are invaluable for day-to-day productivity, but if exploited by a hostile actor , they can amplify the frequency and impact of cyberattacks.
Predictions indicate that their offensive effectiveness will continue to grow. To counter this trend, detection systems have been strengthened and new classifiers developed to rapidly identify anomalies and potentially malicious actions . The goal is to be able to identify distributed and coordinated campaigns even when the use of AI obscures the presence of the human operator.
Pending broader progress, the case was made public to help strengthen defenses in the private sector, public administration, and the scientific community. Further reports will be published in the future, as part of transparency on emerging threats.
The campaign exploited three capabilities of AI models that were far less mature just a year earlier: a level of general intelligence capable of interpreting complex instructions; agentic functions with autonomous action loops; and direct access to software tools via standard protocols like the Model Context Protocol (MCP), which enable searches, data retrieval, and program execution.
In the initial phase, human operators selected the targets and set up a framework designed to operate with minimal supervision. This system used Claude Code as the engine of operations. To get it to cooperate, the attackers jailbroke it, bypassing security mechanisms . They also divided the operation into fragmented tasks and presented them as legitimate corporate security tests, thus preventing it from grasping the overall purpose.
In the next phase, Claude Code performed a reconnaissance of the targeted organizations’ systems, identifying sensitive archives and databases . The AI completed normally lengthy and complex tasks in significantly less time than a human team, then provided a summary of the information gathered.
The next step involved identifying vulnerabilities, producing exploit code, and accessing the first credentials. The system then collected and classified large amounts of data , identified privileged accounts, created backdoors , and exfiltrated data with minimal human intervention.
In the final phase, the AI generated operational documentation: lists of stolen credentials, maps of the analyzed systems, and other information useful for any subsequent operations.
According to estimates, AI handled between 80% and 90% of the entire campaign, with human intervention limited to a few decision-making moments . The pace of the attack proved impossible for human operators to match, thanks to the ability to execute thousands of requests per second. Despite this, the AI did not prove infallible: in some cases , it generated fake credentials or flagged already public data as confidential, obstacles that currently limit full automation.
The incident marks a significant shift. The skills required to conduct complex operations are decreasing, increasing the possibility that less experienced or resource-poor groups could replicate similar attacks . Compared to the “vibe hacking” cases described months earlier, the human role was much more marginal, despite a larger and more structured operation.
The same mechanisms that allow a model to be exploited in an attack also make it an important defense component. Advanced capabilities can support threat identification, incident response, and preparation for future variants of the same attacks. During the investigation, the Threat Intelligence team used Claude extensively to analyze the enormous amount of data generated.
Faced with this transition, security teams are encouraged to experiment with the controlled use of AI to automate parts of the workload in Security Operations Centers, improve detection, test vulnerabilities, and optimize response procedures. At the same time, developers are encouraged to invest in stronger protection mechanisms to prevent abuse by malicious actors. Since similar techniques are expected to be increasingly adopted, timely threat sharing and the adoption of more rigorous controls become key elements.
Redazione