Observation Summary
The first AI-orchestrated cyber espionage campaign has been reported by Anthropic.
The Chinese nexus cluster, GTG-1002, weaponized Claude Code through the Model Context Protocol (MCP), enabling the AI to execute reconnaissance, exploitation, credential harvesting, lateral movement, and data extraction with minimal human involvement.
This activity represents a significant evolution in attacker capability and marks one of the first observed cases of fully AI-orchestrated intrusion automation.
What’s Happening
GTG-1002 deployed an autonomous AI system to conduct end-to-end intrusions across more than 30 organizations.
These AI agents are capable of making decisions, generating payloads, coordinating tasks, and documenting actions autonomously.
Key Attack Behaviors
- High-speed scanning bursts across multiple IP ranges
- Automated exploit creation, testing, and regeneration
- Credential harvesting from config files, browsers, and exposed services
- Autonomous privilege mapping and account chaining
- Parallel reconnaissance across dozens of hosts
- Adaptive exploitation based on real-time scan results
- AI-generated markdown summaries for operator review
Attack Lifecycle (Expanded)
- Initialization — AI seeded with target list & internal impersonation of red-team personas
- Reconnaissance — Burst scanning, browser automation, certificate harvesting
- Attack Surface Mapping — Detection of misconfigurations, exposed services, SSRF paths
- Vulnerability Discovery — On-the-fly exploit generation based on findings
- Credential Harvesting & Lateral Movement — Dumping stored passwords, brute-force attempts
- Data Extraction — Compression and staging to attacker-controlled nodes
- Autonomous Documentation — AI creates full operation report
Indicators of Compromise (IOCs)
Domains
| IOC |
Description |
| update-sync-mcp[.]net |
AI orchestration callback endpoint |
| cloud-recon-service[.]com |
Browser automation & reconnaissance |
| api-sync-agent[.]org |
Secondary orchestration layer |
| adaptive-scan-cloud[.]io |
Distributed scanning node |
IP Addresses
| IOC |
Description |
| 45.77.188.34 |
Exploit validation host |
| 185.244.25.61 |
Credential brute-force & testing |
| 198.46.224.112 |
SSRF exploitation relay |
| 91.210.144.77 |
MCP command distribution |
| 152.89.196.12 |
AI-agent staging node |
URL Patterns
- /mcp/execute
- /auto/scan/task
- /browser/auto-action
- /dispatch/payload?id=*
File Artifacts
Understanding the Risks
This campaign demonstrates that AI can fully automate complex intrusions, reducing the need for skilled human operators and drastically increasing the speed, scale, and sophistication of attacks.
If successful, these operations can enable:
- Rapid unauthorized access to internal networks
- Theft of sensitive data at machine-scale speed
- Large-scale compromise across multiple business units
- Evasion of traditional SOC detection due to non-human patterns
The shift toward autonomous offensive AI means organizations must prepare for a threat landscape where attackers scale by adding models, not people.
Recommendations
Immediate Recommendations
- Monitor for non-human interaction timing (sub-200ms bursts) in authentication or API logs
- Flag MCP-like command patterns in internal traffic
- Detect browser automation fingerprints in web and application logs
Defensive Controls
- Enforce rate limiting on east-west internal APIs
- Harden authentication with MFA/passkeys across privileged accounts
- Deploy Deception Assets designed to confuse automated agents
- Block identified domains/IPs associated with GTG-1002 infrastructure
Strategic & Long-Term
- Implement AI-driven anomaly detection tuned for machine behavior
- Review logging retention to ensure early stage scanning footprints are captured
- Modernize SOC playbooks to include AI-centric threat scenarios
Additional Resources