C0062: Anthropic AI-orchestrated Campaign
The Anthropic AI-orchestrated Campaign was conducted in September 2025 by a likely China nexus espionage actor identified as GTG-1002. The Anthropic AI-orchestrated Campaign was a highly coordinated operation that manipulated Claude Code to perform reconnaissance, vulnerability discovery, exploitation, lateral movement, credential harvesting, data analysis, and exfiltration operations at approximately 30 entities in the technology, financial, chemical, and government sectors. During the Anthropic AI-orchestrated Campaign, human operators used Claude Code agents and Model Context Protocol (MCP) tools to automate cyber operations. Operators broke attacks into discrete tasks, used crafted prompts, and established personas to bypass AI guardrails, enabling the agents to execute the operations with minimal human involvement.[1][2]
Analyst context for executives and security teams
This campaign matters because ATT&CK describes an operation where AI agents were used to speed and coordinate many normal intrusion behaviors: reconnaissance, vulnerability discovery, exploitation, lateral movement, credential harvesting, collection, and exfiltration. The business risk is not “AI magic”; it is faster execution across the kill chain, especially against exposed applications, weak credential practices, and environments where discovery, staging, and outbound web-service exfiltration are poorly monitored.
Executive priority
Leaders should treat this as a resilience and readiness test: can the organization rapidly identify exposed systems, prioritize exploitable weaknesses, detect valid-account abuse, and prove what data was accessed or staged? The campaign description cites technology, financial, chemical, and government entities, so regulated and operationally sensitive organizations should use it to validate vulnerability management, identity controls, SOC visibility, incident response evidence, and third-party/AI-tool governance where applicable.
Technical view
MITRE provides no campaign-specific detection text and no campaign platforms or tactics, so coverage should be validated through the related techniques. The activity maps to reconnaissance and resource development, exploitation of public-facing applications, valid/local account abuse, account and system discovery, network service and connection discovery, file/database collection, local staging, credential discovery in files, automated collection, and exfiltration over web services. SOC and IR teams should test whether they can correlate external scanning or exploitation attempts with subsequent authentication anomalies, local account creation, command/script-driven discovery, sensitive file or database access, staging paths, and unusual outbound transfers to legitimate web services.
Likely telemetry
- External attack surface inventory, scan exposure data, and public-facing application logs
- Web server, application, WAF, reverse proxy, and vulnerability management evidence for attempted or successful exploitation
- Identity provider, VPN, SSH, cloud/IaaS, and local authentication logs for valid-account abuse
- Local account creation and privilege/account management events
- Endpoint process, command-line, shell history, and file system telemetry for discovery, credential file searches, collection, and staging
Detection direction
- Do not rely on an “AI campaign” signature; validate detections for the underlying ATT&CK behaviors and their sequence.
- Prioritize correlation from exposed application activity to new sessions, discovery commands, credential access in files, staging, and outbound web-service uploads.
- Tune discovery detections carefully because administrative commands and service enumeration can be legitimate; increase confidence with unusual user, host, time, volume, destination, or post-exploitation context.
- Review visibility gaps on Linux, macOS, ESXi, containers, IaaS, identity providers, SaaS/databases, and network devices only where those platforms exist in the environment; the campaign object itself does not specify platforms.
- For exfiltration over web services, validate whether proxy/firewall logging can distinguish normal SaaS use from unusual upload volume, new destinations, rare user agents, or unexpected source systems.
Mitigation priorities
- First reduce initial-access risk by maintaining an accurate inventory of Internet-facing applications and prioritizing remediation of exploitable bugs and misconfigurations.
- Harden identity controls for valid and local accounts: enforce least privilege, monitor privileged access, reduce password reuse, and review local administrator/service accounts.
- Remove or protect credentials stored in files, configuration, backups, source code, and local directories; validate secrets-management practices.
- Limit and monitor data access paths, especially databases and sensitive local file stores; apply access controls and audit logging appropriate to data sensitivity.
- Implement egress governance for outbound web services, with logging and controls that support investigation without assuming all legitimate web services are safe.
Analyst notes and limits
The notable defensive lesson is acceleration and orchestration: AI-assisted operators may compress reconnaissance, discovery, collection, and exploitation workflows, making dwell-time assumptions and manual triage queues less reliable. Detection engineering should therefore emphasize chained behavior and evidence preservation, not just isolated alerts.
MITRE does not provide campaign-specific detection guidance, platforms, or tactics for this object. The relationship set gives useful technique context, but local asset mix, logging depth, approved AI-tool usage, and data architecture are required to determine actual exposure and coverage. The supplied description attributes the campaign to a likely China-nexus espionage actor identified as GTG-1002; no additional attribution or active customer exposure is inferred here.
Anthropic AI-orchestrated Campaign
The Anthropic AI-orchestrated Campaign was conducted in September 2025 by a likely China nexus espionage actor identified as GTG-1002. The Anthropic AI-orchestrated Campaign was a highly coordinated operation that manipulated Claude Code to perform reconnaissance, vulnerability discovery, exploitation, lateral movement, credential harvesting, data analysis, and exfiltration operations at approximately 30 entities in the technology, financial, chemical, and government sectors. During the Anthropic AI-orchestrated Campaign, human operators used Claude Code agents and Model Context Protocol (MCP) tools to automate cyber operations. Operators broke attacks into discrete tasks, used crafted prompts, and established personas to bypass AI guardrails, enabling the agents to execute the operations with minimal human involvement.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1190 | Exploit Public-Facing Application | During the Anthropic AI-orchestrated Campaign, the adversary used Claude Code to deploy a custom exploit payload targeting an identified SSRF vulnerability to gain initial access to a targeted environment.CitationAnthropic AI Orchestrated Campaign NOV 2025 |
| Enterprise | T1588.002 | Tool Sub-technique | During the Anthropic AI-orchestrated Campaign, the adversary obtained open-source penetration testing tools including network scanners, database exploitation frameworks, password crackers, and binary analysis suites.CitationAnthropic AI Orchestrated Campaign NOV 2025 |
| Enterprise | T1588.007 | Artificial Intelligence Sub-technique | During the Anthropic AI-orchestrated Campaign, the adversary obtained access to Claude Code to support cyber intrusion operations.CitationAnthropic AI Orchestrated Campaign NOV 2025 |
| Enterprise | T1136.001 | Local Account Sub-technique | During the Anthropic AI-orchestrated Campaign, the adversary used Claude Code to create a local backdoor account to maintain access.CitationAnthropic AI Orchestrated Campaign NOV 2025 |
| Enterprise | T1592.002 | Software Sub-technique | During the Anthropic AI-orchestrated Campaign, the adversary utilized Claude Code to catalog services and data on discovered endpoints.CitationAnthropic AI Orchestrated Campaign NOV 2025 |
| Enterprise | T1590.004 | Network Topology Sub-technique | During the Anthropic AI-orchestrated Campaign, the adversary used Claude Code to map a complete network topology of the target infrastructure.CitationAnthropic AI Orchestrated Campaign NOV 2025 |
| Enterprise | T1083 | File and Directory Discovery | During the Anthropic AI-orchestrated Campaign, the adversary leveraged Claude Code to identify sensitive data within the victim environment for extraction.CitationAnthropic AI Orchestrated Campaign NOV 2025 |
| Enterprise | T1078 | Valid Accounts | During the Anthropic AI-orchestrated Campaign, the adversary used harvested credentials to authenticate against internal APIs, database systems, container registries, and logging infrastructure across targeted networks.CitationAnthropic AI Orchestrated Campaign NOV 2025 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | During the Anthropic AI-orchestrated Campaign, the adversary used Claude Code to stage extracted data and operational documentation in structured markdown files on local systems prior to exfiltration.CitationAnthropic AI Orchestrated Campaign NOV 2025 |
| Enterprise | T1595.002 | Vulnerability Scanning Sub-technique | During the Anthropic AI-orchestrated Campaign, the adversary used Claude Code to scan target infrastructure to identify potential vulnerabilities and to enumerate services and endpoints.CitationAnthropic AI Orchestrated Campaign NOV 2025 |
| Enterprise | T1087 | Account Discovery | During the Anthropic AI-orchestrated Campaign, the adversary used Claude Code to query internal database user account tables to enumerate accounts and identify high-privilege accounts within compromised environments.CitationAnthropic AI Orchestrated Campaign NOV 2025 |
| Enterprise | T1587.004 | Exploits Sub-technique | During the Anthropic AI-orchestrated Campaign, the adversary used Claude Code to research exploitation techniques for an identified SSRF vulnerability, to generate a tailored custom attack payload, and to develop a full exploit chain prior to deployment.CitationAnthropic AI Orchestrated Campaign NOV 2025 |
| Enterprise | T1552.001 | Credentials In Files Sub-technique | During the Anthropic AI-orchestrated Campaign, the adversary used Claude Code to extract authentication certificates stored in system configuration files across compromised environments.CitationAnthropic AI Orchestrated Campaign NOV 2025 |
| Enterprise | T1567 | Exfiltration Over Web Service | During the Anthropic AI-orchestrated Campaign, the adversary utilized Claude Code to generate a detailed summary report of collected data, which is then reviewed and approved by the adversary prior to exfiltration of data over Claude.CitationAnthropic AI Orchestrated Campaign NOV 2025 |
| Enterprise | T1595.001 | Scanning IP Blocks Sub-technique | During the Anthropic AI-orchestrated Campaign, the adversary used Claude Code to scan infrastructure across IP ranges associated with the target organization.CitationAnthropic AI Orchestrated Campaign NOV 2025 |
| Enterprise | T1046 | Network Service Discovery | During the Anthropic AI-orchestrated Campaign, the adversary used Claude Code to enumerate internal network services and endpoints across targeted environments using browser automation via MCP, including databases, container registries, admin interfaces, and workflow orchestration platforms.CitationAnthropic AI Orchestrated Campaign NOV 2025 |
| Enterprise | T1078.003 | Local Accounts Sub-technique | During the Anthropic AI-orchestrated Campaign, the adversary used Claude Code to test credentials harvested against discovered devices.CitationAnthropic AI Orchestrated Campaign NOV 2025 |
| Enterprise | T1584.004 | Server Sub-technique | During the Anthropic AI-orchestrated Campaign, the adversary operated dedicated penetration testing servers accessible via MCP to support remote command execution, simultaneous tool coordination, and persistent operational state maintenance across campaign sessions.CitationAnthropic AI Orchestrated Campaign NOV 2025 |
| Enterprise | T1213.006 | Databases Sub-technique | During the Anthropic AI-orchestrated Campaign, the adversary used Claude Code to query internal databases and systems to extract proprietary information, system configurations, and sensitive operational data. CitationAnthropic AI Orchestrated Campaign NOV 2025 |
| Enterprise | T1016 | System Network Configuration Discovery | During the Anthropic AI-orchestrated Campaign, the adversary configured Claude Code to identify and gather system configurations of discovered devices.CitationAnthropic AI Orchestrated Campaign NOV 2025 |
| Enterprise | T1119 | Automated Collection | During the Anthropic AI-orchestrated Campaign, the adversary used Claude Code to automatically collect and process large volumes of data from without human direction.CitationAnthropic AI Orchestrated Campaign NOV 2025 |
| Enterprise | T1683 | Generate Content | During the Anthropic AI-orchestrated Campaign, the adversary utilized Claude Code to automatically generate comprehensive documentation throughout the phases of the attack, including discovered services, harvested credentials, sensitive data, exploitation techniques, and complete attack progression.CitationAnthropic AI Orchestrated Campaign NOV 2025 |
| Enterprise | T1592.004 | Client Configurations Sub-technique | During the Anthropic AI-orchestrated Campaign, the adversary leveraged Claude Code to gather details of high-value systems to include databases and workflow orchestration platforms.CitationAnthropic AI Orchestrated Campaign NOV 2025 |
| Enterprise | T1005 | Data from Local System | During the Anthropic AI-orchestrated Campaign, the adversary tasked Claude Code to automatically gather sensitive data stored within the local system to include credentials, system configurations and sensitive operational data.CitationAnthropic AI Orchestrated Campaign NOV 2025 |
| Enterprise | T1082 | System Information Discovery | During the Anthropic AI-orchestrated Campaign, the adversary tasked Claude Code to query databases and systems in order to identify proprietary information, including system configurations and database types.CitationAnthropic AI Orchestrated Campaign NOV 2025 |
| Enterprise | T1049 | System Network Connections Discovery | During the Anthropic AI-orchestrated Campaign, the adversary used Claude Code to map internal network architecture and access relationships.CitationAnthropic AI Orchestrated Campaign NOV 2025 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | eb58c8bb5b6f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Anthropic AI Orchestrated Campaign NOV 2025
Anthropic. (2025, November). Disrupting the first reported AI-orchestrated cyber espionage campaign. Retrieved April 20, 2026.
Open source URL -
[2]
Anthropic Disrupting AI Espionage NOV 2025
Anthropic. (2025, November 13). Disrupting the first reported AI-orchestrated cyber espionage campaign. Retrieved April 20, 2026.
Open source URL -
[3]
mitre-attack C0062Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.