Logo
/
Blog/Inside Hephaestus: Claude AI-Powered Attacks Against Government and Academic Targets
May 28, 202616 min readintelligence
Share:

Inside Hephaestus: Claude AI-Powered Attacks Against Government and Academic Targets

By Threat Intelligence Unit

Overview

Oasis Security analyzed operational artifacts associated with a Claude AI-powered automated attack framework named Hephaestus.

The investigation identified a structured offensive workflow that leveraged Claude AI to automate multiple stages of cyber intrusion activity, including reconnaissance, exploitation, persistence, lateral movement, and reporting.

The collected evidence revealed successful compromises against government agencies and educational institutions in Indonesia, Bangladesh, Thailand, and South Korea.

In addition, Oasis Security identified attacker infrastructure, Telegram channels, GitHub accounts, forum activity, and AI-powered offensive services linked to the operation.


Executive Summary

  • Attackers operationalized Claude AI through a custom automated attack framework named Hephaestus
  • The framework automated the attack workflow from reconnaissance to persistence and reporting
  • Government agencies and educational institutions in Indonesia, Bangladesh, Thailand, and South Korea were identified as targets
  • Multiple successful compromises resulted in web shell deployment and GSocket persistence installation
  • The attackers leveraged BrightData, Shodan, Censys, and SerpAPI to support reconnaissance and operational activity
  • The operation expanded into monetization activity through unauthorized access sales and AI-powered offensive services

Adversary Infrastructure Overview

Analyzed Server Information

  • Server IP: 203.175.125.189
  • Country: Indonesia

A large number of attacker-controlled server-side files were collected from infrastructure geolocated in Indonesia.

The identified artifacts included operational reports, framework configuration files, automation scripts, persistence tooling, and attack workflow definitions associated with the Hephaestus framework.


Attacks Leveraging Claude AI (Hephaestus Automated Attack Framework)

The attacker developed an automated attack framework using Claude Code, Anthropic's agentic coding CLI. The framework's orchestration logic is defined in a CLAUDE.md file, which Claude Code automatically loads as a session-level system context at the start of every session. The attacker exploited this loading mechanism by prepending an authorization preamble designed to inject five distinct legitimacy signals before any operational instruction:

  1. Asserted authorization — claim of "AUTHORIZED penetration testing"
  2. Fabricated contractual basis — reference to "signed contracts" and "written permission from asset owners"
  3. Operator credentialing — assertion of "professional certifications"
  4. Legal-framework framing — claim that testing is "conducted within legal frameworks"
  5. Scope limitation — assertion that targets are "only engaged with explicit written authorization"

The full text of the preamble has been withheld from this public report to limit reproduction by other actors, and has been shared with Anthropic to support detection development.

Attacks are executed through the Hephaestus framework, with GSocket subsequently deployed to establish persistence.

Configuration of `CLAUDE.md` orchestrating the Hephaestus automated attack workflow

Figure 1. Configuration of CLAUDE.md orchestrating the Hephaestus automated attack workflow

TLD-Based Targeting

CLAUDE.md explicitly defines operational scope through TLD-based targeting.

The identified target categories include:

CountryTarget TypeTLD
IndonesiaGovernment Agencies.go.id
IndonesiaEducational Institutions.ac.id
South KoreaEducational Institutions.ac.kr
ThailandGovernment Agencies.go.th
BangladeshGovernment Agencies.gov.bd
Target categories and geographic TLD mapping within the framework

Figure 2. Target categories and geographic TLD mapping within the framework


Multi-Agent Offensive Workflow

Agent roles are defined in AGENT.md, with dedicated operational logic implemented as separate Markdown files inside the agents directory.

Attack Flow

SCOUT → STRIKE → ANCHOR → HUNTER → SCOUT-HUNTER → ROASTER

Agent roles defined in `AGENT.md`

Figure 3. Agent roles defined in AGENT.md

SCOUT Agent

The SCOUT Agent performs reconnaissance and scanning activities.

 SCOUT Agent reconnaissance and attack surface enumeration tools

Figure 4. SCOUT Agent reconnaissance and attack surface enumeration tools

STRIKE Agent

The STRIKE Agent collects additional information based on reconnaissance data gathered by the SCOUT Agent.

The agent integrates an external credential leakage intelligence service to collect leaked credentials associated with identified targets.

STRIKE Agent tooling for credential collection and initial access

Figure 5. STRIKE Agent tooling for credential collection and initial access

ANCHOR Agent

The ANCHOR Agent performs exploitation activities using multiple offensive techniques and tooling components.

ANCHOR Agent vulnerability exploitation and shell access capabilities

Figure 6. ANCHOR Agent vulnerability exploitation and shell access capabilities

HUNTER Agent

The HUNTER Agent operates on compromised systems and performs:

  • Sensitive data harvesting
  • Privilege escalation
  • Persistence setup
  • Lateral movement preparation
HUNTER Agent post-exploitation data harvesting and privilege escalation tools

Figure 7. HUNTER Agent post-exploitation data harvesting and privilege escalation tools

SCOUT-HUNTER Agent

The SCOUT-HUNTER Agent performs:

  • Internal network scanning
  • VPN/VPS tunneling
  • Cross-site compromise through co-hosted domains
  • Lateral movement support
SCOUT-HUNTER Agent lateral movement and internal network pivoting capabilities

Figure 8. SCOUT-HUNTER Agent lateral movement and internal network pivoting capabilities

ROASTER Agent

The ROASTER Agent consolidates operational findings from preceding agents into structured reports.

ROASTER Agent tooling for evidence compilation and automated report generation

Figure 9. ROASTER Agent tooling for evidence compilation and automated report generation


External Service Integration

The framework integrates multiple external services to support operational activity.

BrightData

The attacker leveraged the BrightData service to:

  • Route traffic through country-specific proxy infrastructure
  • Perform web scraping
  • Bypass region-based filtering controls
BrightData proxy infrastructure used for regional traffic routing

Figure 10. BrightData proxy infrastructure used for regional traffic routing

Additional OSINT Services

Additional APIs integrated into the framework include:

  • Censys
  • Shodan
  • SerpAPI

These services enhanced reconnaissance and attack automation.

 OSINT service integrations supporting reconnaissance and attack automation

Figure 11. OSINT service integrations supporting reconnaissance and attack automation


Analysis of Successful Compromises

Multiple operational reports automatically generated during intrusion activity were collected from the attacker infrastructure.

Indonesian Government Targets

The first analyzed case involved Indonesian government websites.

The automated attack workflow concluded with:

  • Web shell deployment
  • GSocket persistence installation
Compromise report showing web shell deployment and persistence installation

Figure 12. Compromise report showing web shell deployment and persistence installation

Additional Indonesian government websites were also identified as successfully compromised.

The identified logs included:

  • Exploitation activity
  • Data exfiltration
  • Persistence deployment
Log showing shell access, persistence deployment, and credential collection

Figure 13. Log showing shell access, persistence deployment, and credential collection

Bangladeshi Government Targets

Operational reports associated with compromised Bangladeshi government websites were also identified.

Reports associated with compromised Bangladeshi government

Figure 14. Reports associated with compromised Bangladeshi government

Indonesian Educational Institutions

Indonesian educational institutions appeared extensively targeted.

Logs targeting Indonesian educational institutions (1)

Figure 15. Logs targeting Indonesian educational institutions (1)

Logs targeting Indonesian educational institutions (2)

Figure 16. Logs targeting Indonesian educational institutions (2)

Logs targeting Indonesian educational institutions (3)

Figure 17. Logs targeting Indonesian educational institutions (3)

Logs targeting Indonesian educational institutions (4)

Figure 18. Logs targeting Indonesian educational institutions (4)

One operation chained SQL injection with image upload abuse to achieve remote code execution.

SQL Injection → Image Upload → Remote Code Execution (RCE)

Chained SQL injection and image upload exploit resulting in RCE

Figure 19. Chained SQL injection and image upload exploit resulting in RCE

Another institution was compromised through an unauthenticated SSRF-to-RCE exploit targeting SLiMS 9 Bulian.

RCE report showing unauthenticated SSRF-to-RCE exploitation

Figure 20. RCE report showing unauthenticated SSRF-to-RCE exploitation

The framework also chained three CVEs against a Moodle-based institution to escalate privileges from a user account to root access.

Penetration testing report showing chained CVE exploitation for privilege escalation and root access

Figure 21. Penetration testing report showing chained CVE exploitation for privilege escalation and root access

Another operation targeted an academic journal platform running OJS and exposed more than 41,000 user accounts, as shown at the bottom of Fig. 22.

Compromised OJS platform exposing more than 41,000 user accounts

Figure 22. Compromised OJS platform exposing more than 41,000 user accounts

Additional Campaign Targets

The identified campaigns folder contained approximately 60 additional targets.

Each directory included combinations of:

  • Attempted attack logs
  • Successful compromise reports
  • Exfiltration artifacts
  • Persistence deployment logs
60 additional targets found in `campaigns` folder

Figure 23. 60 additional targets found in campaigns folder

South Korean Educational Institutions

South Korean educational institutions were also identified as designated targets.

Identified reports documented:

  • Attack workflows
  • Web shell deployment
  • GSocket persistence installation
Operational report targeting South Korean educational institutions

Figure 24. Operational report targeting South Korean educational institutions

Operational report documenting web shell deployment and GSocket persistence installation

Figure 25. Operational report documenting web shell deployment and GSocket persistence installation

The agent_runner.py script also contained multiple South Korean educational institution domains as designated targets.

Script showing multiple South Korean educational institution domains as designated targets

Figure 26. Script showing multiple South Korean educational institution domains as designated targets

Additional scripts targeted ERP systems using previously stolen credentials to:

  • Access internal systems
  • Extract sensitive information
Scripts targeting ERP systems

Figure 27. Scripts targeting ERP systems


Correlation Analysis: Identifying the Attacker

Signature Left on Compromised Systems

Upon successful compromise, the attacker consistently left the following signature:

Pentest By Mr.spongebob x adit ganteng

Signature left by the attacker on compromised systems

Figure 28. Signature left by the attacker on compromised systems

Underground Forum Activity

In January 2026, the attacker attempted to sell approximately 43GB of exfiltrated data obtained from Indonesian government agencies through an underground forum.

Attacker selling approximately 43GB of data from Indonesian government agencies

Figure 29. Attacker selling approximately 43GB of data from Indonesian government agencies


Telegram Identification

A Telegram ID (@appleteamcook) was observed as the contact information in the forum posting of the underground forum.

Telegram ID (`@appleteamcook`) identified in the underground forum posting

Figure 30. Telegram ID (@appleteamcook) identified in the underground forum posting

Telegram account profile for `@appleteamcook`

Figure 31. Telegram account profile for @appleteamcook


Initial Access Broker Activity

The @appleteamcook Telegram account openly advertises involvement in gambling-related services, as shown in Fig. 31.

An additional Telegram account belonging to the same hacker was also identified. Its channel name was Pluto Hephaestus, which closely resembles the name of the attacker's Claude-based automation framework.

Channel Overview

AttributeDetails
Channel NamePluto Hephaestus
Subscriber CountApproximately 4,500 subscribers
Activity TypeUnauthorized access sales / IAB operations
Telegram channel associated with initial access broker

Figure 32. Telegram channel associated with initial access broker

The channel operated as an Initial Access Broker (IAB) service, selling unauthorized access to compromised systems and infrastructure.

Identified Target Listings

The channel advertised access to multiple categories of compromised organizations, including:

  • Indonesian educational institutions
  • South Korean educational institutions
  • South Korean corporate targets
Channel advertising access to multiple organizations

Figure 33. Channel advertising access to a South Korean university

As of the publication of this report, the Telegram channel had been taken offline.


HackerSec AI Service

Despite the Telegram shutdown, the following service remained operational:

AttributeDetails
Service Domainai.hackersec.id
Hosting IP203.175.125.189
Advertised DescriptionAI for Black Hat Hackers

The platform openly marketed offensive AI-assisted capabilities through publicly accessible promotional content.

Advertised Capabilities

  • Membantu Kejahatan Jika Mau (Assists with crime upon request)
  • Membantu membuat kode berbahaya (Helps create malware)
  • Bisa langsung pake kata yang ilegal (Permits direct use of illegal terminology)
  • AI Nya Para Defacer & Blackhat (AI for website defacers & Black Hat Hackers)
AI platform advertising malicious cyber operation capabilities

Figure 34. AI platform advertising malicious cyber operation capabilities

HackerSec AI interface

Figure 35. HackerSec AI interface


Conclusion

This analysis confirmed that the Claude-powered Hephaestus framework evolved into an AI-assisted cyberattack platform capable of automating reconnaissance, exploitation, persistence, lateral movement, and reporting.

The investigation confirmed successful compromises against Indonesian government agencies and educational institutions, with additional attacks targeting South Korean educational institutions.

The operation also involved monetization activity, including:

  • Unauthorized access sales
  • Telegram-based Initial Access Broker operations
  • AI-powered offensive services through HackerSec AI

The observed activity aligns with a jailbreak pattern we term Synthetic Legitimacy Injection (SLI) — described in detail earlier in this report — in which fabricated authorization framing, including claimed credentials, contractual basis, and legal-framework assertions, is injected at the session-context level to influence the model's policy interpretation before any operational instruction is issued.

This case demonstrates how AI-assisted attacks are evolving beyond direct prompt injection into more advanced context-based manipulation techniques capable of enabling organized cybercrime operations.

Anthropic was notified prior to publication.