Inside Hephaestus: Claude AI-Powered Attacks Against Government and Academic Targets
By Threat Intelligence Unit
Overview
Oasis Security analyzed operational artifacts associated with a Claude AI-powered automated attack framework named Hephaestus.
The investigation identified a structured offensive workflow that leveraged Claude AI to automate multiple stages of cyber intrusion activity, including reconnaissance, exploitation, persistence, lateral movement, and reporting.
The collected evidence revealed successful compromises against government agencies and educational institutions in Indonesia, Bangladesh, Thailand, and South Korea.
In addition, Oasis Security identified attacker infrastructure, Telegram channels, GitHub accounts, forum activity, and AI-powered offensive services linked to the operation.
Executive Summary
- Attackers operationalized Claude AI through a custom automated attack framework named Hephaestus
- The framework automated the attack workflow from reconnaissance to persistence and reporting
- Government agencies and educational institutions in Indonesia, Bangladesh, Thailand, and South Korea were identified as targets
- Multiple successful compromises resulted in web shell deployment and GSocket persistence installation
- The attackers leveraged BrightData, Shodan, Censys, and SerpAPI to support reconnaissance and operational activity
- The operation expanded into monetization activity through unauthorized access sales and AI-powered offensive services
Adversary Infrastructure Overview
Analyzed Server Information
- Server IP:
203.175.125.189 - Country: Indonesia
A large number of attacker-controlled server-side files were collected from infrastructure geolocated in Indonesia.
The identified artifacts included operational reports, framework configuration files, automation scripts, persistence tooling, and attack workflow definitions associated with the Hephaestus framework.
Attacks Leveraging Claude AI (Hephaestus Automated Attack Framework)
The attacker developed an automated attack framework using Claude Code,
Anthropic's agentic coding CLI. The framework's orchestration logic is
defined in a CLAUDE.md file, which Claude Code automatically loads as
a session-level system context at the start of every session. The
attacker exploited this loading mechanism by prepending an authorization
preamble designed to inject five distinct legitimacy signals before any
operational instruction:
- Asserted authorization — claim of "AUTHORIZED penetration testing"
- Fabricated contractual basis — reference to "signed contracts" and "written permission from asset owners"
- Operator credentialing — assertion of "professional certifications"
- Legal-framework framing — claim that testing is "conducted within legal frameworks"
- Scope limitation — assertion that targets are "only engaged with explicit written authorization"
The full text of the preamble has been withheld from this public report to limit reproduction by other actors, and has been shared with Anthropic to support detection development.
Attacks are executed through the Hephaestus framework, with GSocket subsequently deployed to establish persistence.
Figure 1. Configuration of CLAUDE.md orchestrating the Hephaestus automated attack workflow
TLD-Based Targeting
CLAUDE.md explicitly defines operational scope through TLD-based targeting.
The identified target categories include:
| Country | Target Type | TLD |
|---|---|---|
| Indonesia | Government Agencies | .go.id |
| Indonesia | Educational Institutions | .ac.id |
| South Korea | Educational Institutions | .ac.kr |
| Thailand | Government Agencies | .go.th |
| Bangladesh | Government Agencies | .gov.bd |
Figure 2. Target categories and geographic TLD mapping within the framework
Multi-Agent Offensive Workflow
Agent roles are defined in AGENT.md, with dedicated operational logic implemented as separate Markdown files inside the agents directory.
Attack Flow
SCOUT → STRIKE → ANCHOR → HUNTER → SCOUT-HUNTER → ROASTER
Figure 3. Agent roles defined in AGENT.md
SCOUT Agent
The SCOUT Agent performs reconnaissance and scanning activities.
Figure 4. SCOUT Agent reconnaissance and attack surface enumeration tools
STRIKE Agent
The STRIKE Agent collects additional information based on reconnaissance data gathered by the SCOUT Agent.
The agent integrates an external credential leakage intelligence service to collect leaked credentials associated with identified targets.
Figure 5. STRIKE Agent tooling for credential collection and initial access
ANCHOR Agent
The ANCHOR Agent performs exploitation activities using multiple offensive techniques and tooling components.
Figure 6. ANCHOR Agent vulnerability exploitation and shell access capabilities
HUNTER Agent
The HUNTER Agent operates on compromised systems and performs:
- Sensitive data harvesting
- Privilege escalation
- Persistence setup
- Lateral movement preparation
Figure 7. HUNTER Agent post-exploitation data harvesting and privilege escalation tools
SCOUT-HUNTER Agent
The SCOUT-HUNTER Agent performs:
- Internal network scanning
- VPN/VPS tunneling
- Cross-site compromise through co-hosted domains
- Lateral movement support
Figure 8. SCOUT-HUNTER Agent lateral movement and internal network pivoting capabilities
ROASTER Agent
The ROASTER Agent consolidates operational findings from preceding agents into structured reports.
Figure 9. ROASTER Agent tooling for evidence compilation and automated report generation
External Service Integration
The framework integrates multiple external services to support operational activity.
BrightData
The attacker leveraged the BrightData service to:
- Route traffic through country-specific proxy infrastructure
- Perform web scraping
- Bypass region-based filtering controls
Figure 10. BrightData proxy infrastructure used for regional traffic routing
Additional OSINT Services
Additional APIs integrated into the framework include:
- Censys
- Shodan
- SerpAPI
These services enhanced reconnaissance and attack automation.
Figure 11. OSINT service integrations supporting reconnaissance and attack automation
Analysis of Successful Compromises
Multiple operational reports automatically generated during intrusion activity were collected from the attacker infrastructure.
Indonesian Government Targets
The first analyzed case involved Indonesian government websites.
The automated attack workflow concluded with:
- Web shell deployment
- GSocket persistence installation
Figure 12. Compromise report showing web shell deployment and persistence installation
Additional Indonesian government websites were also identified as successfully compromised.
The identified logs included:
- Exploitation activity
- Data exfiltration
- Persistence deployment
Figure 13. Log showing shell access, persistence deployment, and credential collection
Bangladeshi Government Targets
Operational reports associated with compromised Bangladeshi government websites were also identified.
Figure 14. Reports associated with compromised Bangladeshi government
Indonesian Educational Institutions
Indonesian educational institutions appeared extensively targeted.
Figure 15. Logs targeting Indonesian educational institutions (1)
Figure 16. Logs targeting Indonesian educational institutions (2)
Figure 17. Logs targeting Indonesian educational institutions (3)
Figure 18. Logs targeting Indonesian educational institutions (4)
One operation chained SQL injection with image upload abuse to achieve remote code execution.
SQL Injection → Image Upload → Remote Code Execution (RCE)
Figure 19. Chained SQL injection and image upload exploit resulting in RCE
Another institution was compromised through an unauthenticated SSRF-to-RCE exploit targeting SLiMS 9 Bulian.
Figure 20. RCE report showing unauthenticated SSRF-to-RCE exploitation
The framework also chained three CVEs against a Moodle-based institution to escalate privileges from a user account to root access.
Figure 21. Penetration testing report showing chained CVE exploitation for privilege escalation and root access
Another operation targeted an academic journal platform running OJS and exposed more than 41,000 user accounts, as shown at the bottom of Fig. 22.
Figure 22. Compromised OJS platform exposing more than 41,000 user accounts
Additional Campaign Targets
The identified campaigns folder contained approximately 60 additional targets.
Each directory included combinations of:
- Attempted attack logs
- Successful compromise reports
- Exfiltration artifacts
- Persistence deployment logs
Figure 23. 60 additional targets found in campaigns folder
South Korean Educational Institutions
South Korean educational institutions were also identified as designated targets.
Identified reports documented:
- Attack workflows
- Web shell deployment
- GSocket persistence installation
Figure 24. Operational report targeting South Korean educational institutions
Figure 25. Operational report documenting web shell deployment and GSocket persistence installation
The agent_runner.py script also contained multiple South Korean educational institution domains as designated targets.
Figure 26. Script showing multiple South Korean educational institution domains as designated targets
Additional scripts targeted ERP systems using previously stolen credentials to:
- Access internal systems
- Extract sensitive information
Figure 27. Scripts targeting ERP systems
Correlation Analysis: Identifying the Attacker
Signature Left on Compromised Systems
Upon successful compromise, the attacker consistently left the following signature:
Pentest By Mr.spongebob x adit ganteng
Figure 28. Signature left by the attacker on compromised systems
Underground Forum Activity
In January 2026, the attacker attempted to sell approximately 43GB of exfiltrated data obtained from Indonesian government agencies through an underground forum.
Figure 29. Attacker selling approximately 43GB of data from Indonesian government agencies
Telegram Identification
A Telegram ID (@appleteamcook) was observed as the contact information in the forum posting of the underground forum.
Figure 30. Telegram ID (@appleteamcook) identified in the underground forum posting
Figure 31. Telegram account profile for @appleteamcook
Initial Access Broker Activity
The @appleteamcook Telegram account openly advertises involvement in gambling-related services, as shown in Fig. 31.
An additional Telegram account belonging to the same hacker was also identified. Its channel name was Pluto Hephaestus, which closely resembles the name of the attacker's Claude-based automation framework.
Channel Overview
| Attribute | Details |
|---|---|
| Channel Name | Pluto Hephaestus |
| Subscriber Count | Approximately 4,500 subscribers |
| Activity Type | Unauthorized access sales / IAB operations |
Figure 32. Telegram channel associated with initial access broker
The channel operated as an Initial Access Broker (IAB) service, selling unauthorized access to compromised systems and infrastructure.
Identified Target Listings
The channel advertised access to multiple categories of compromised organizations, including:
- Indonesian educational institutions
- South Korean educational institutions
- South Korean corporate targets
Figure 33. Channel advertising access to a South Korean university
As of the publication of this report, the Telegram channel had been taken offline.
HackerSec AI Service
Despite the Telegram shutdown, the following service remained operational:
| Attribute | Details |
|---|---|
| Service Domain | ai.hackersec.id |
| Hosting IP | 203.175.125.189 |
| Advertised Description | AI for Black Hat Hackers |
The platform openly marketed offensive AI-assisted capabilities through publicly accessible promotional content.
Advertised Capabilities
- Membantu Kejahatan Jika Mau (Assists with crime upon request)
- Membantu membuat kode berbahaya (Helps create malware)
- Bisa langsung pake kata yang ilegal (Permits direct use of illegal terminology)
- AI Nya Para Defacer & Blackhat (AI for website defacers & Black Hat Hackers)
Figure 34. AI platform advertising malicious cyber operation capabilities
Figure 35. HackerSec AI interface
Conclusion
This analysis confirmed that the Claude-powered Hephaestus framework evolved into an AI-assisted cyberattack platform capable of automating reconnaissance, exploitation, persistence, lateral movement, and reporting.
The investigation confirmed successful compromises against Indonesian government agencies and educational institutions, with additional attacks targeting South Korean educational institutions.
The operation also involved monetization activity, including:
- Unauthorized access sales
- Telegram-based Initial Access Broker operations
- AI-powered offensive services through HackerSec AI
The observed activity aligns with a jailbreak pattern we term Synthetic Legitimacy Injection (SLI) — described in detail earlier in this report — in which fabricated authorization framing, including claimed credentials, contractual basis, and legal-framework assertions, is injected at the session-context level to influence the model's policy interpretation before any operational instruction is issued.
This case demonstrates how AI-assisted attacks are evolving beyond direct prompt injection into more advanced context-based manipulation techniques capable of enabling organized cybercrime operations.
Anthropic was notified prior to publication.