Machine-Speed Intrusions: How One Hacker Used DeepSeek and Claude to Scale a Global Campaign

A report by threat researcher @goyaramen reveals a sophisticated software pipeline that embeds Large Language Models (LLMs) directly into a malicious intrusion workflow, allowing a likely lone operator to manage multiple, simultaneous attacks across five countries.

The discovery came in early February 2026, when a misconfigured server was found exposed to the internet, containing over a thousand files that acted as a digital blueprint for an active global campaign.

The exposed server did not just hold stolen data; it revealed an automated pipeline that used LLMs to perform the heavy lifting of a cyberattack. “The malicious operation automates backdoor creation on compromised Fortinet appliances, then connects to victim networks, maps internal infrastructure, and feeds results to language models for analysis,” the report details.

What sets this campaign apart is not the choice of exploits, but the speed of execution. The researcher emphasizes that “What sets this activity apart is the integration of LLMs: a (likely) single operator managing simultaneous intrusions across multiple countries with analytical support at every stage”.

The operator employed a “dual-model approach,” utilizing the specific strengths of different AI agents to move through the attack lifecycle:

• Strategic Planning: DeepSeek was used to ingest raw reconnaissance data and generate comprehensive attack plans.
• Technical Assessment: Claude’s coding agent was tasked with producing vulnerability assessments during live intrusions.

“The dual-model approach observed, using whichever model is most permissive or capable for a given task, is likely to become a recurring pattern,” the report warns. By leveraging these models, “a low-to-average skilled actor” was able to remove the traditional limitations on the number of targets one person can effectively manage at once.

The researcher found that the progression from a previous toolset, “HexStrike,” to a more advanced version called “ARXON,” took only about eight weeks.

While the LLMs were not used for writing new zero-day exploits, they were critical for “triaging compromised targets, and generating attack plans fast enough to keep multiple intrusions moving concurrently”. This automation allowed the actor to scale from an earlier exposure in December 2025 to a massive operation involving stolen firewall configurations and Active Directory maps by February.

“Matching the speed at which this workflow moved will be important in defending networks as AI continues to be baked into offensive operations,” @goyaramen concludes. Defenders are urged to prioritize the patching of edge devices, such as Fortinet appliances, and to maintain strict audits for unauthorized VPN accounts and unexpected SSH access. As AI-driven attacks become a standard “recurring pattern,” the pace of defense must evolve to match the speed of the machine.