Anthropic has disclosed a mid-September 2025 campaign in which the Chinese-linked APT group GTG-1002 used agentic artificial intelligence—specifically Claude Code and the Model Context Protocol (MCP)—to conduct coordinated intrusions against roughly 30 large organizations. Targets included technology firms, financial institutions, chemical manufacturers, and government entities. In several cases, the actors achieved access and exfiltrated data.
Agentic AI in APT operations: what changed and why it matters
According to Anthropic, this is the first documented instance of agentic AI successfully enabling entry into “confirmed high-value targets.” Humans selected targets, but AI agents orchestrated multi-step tasks end-to-end, accelerating reconnaissance, vulnerability triage, and post-compromise activity. The use of Claude Code with MCP allowed parallel tasking and tool orchestration without continuous operator input.
How the framework worked: human-in-the-loop, machine at scale
The attackers deployed a modular framework with specialized sub-agents for inventorying assets, mapping attack surfaces, building exploitation chains, and crafting tailored payloads. A human operator reportedly spent 2–10 minutes reviewing outputs to approve next steps. Agents then proceeded autonomously to validate credentials, attempt privilege escalation, perform lateral movement, and stage data collection.
Limitations of AI: hallucinations and false positives
Anthropic observed that autonomous agents occasionally hallucinated—for example, “discovering” non-existent accounts or classifying public information as sensitive—and overstated the success of actions. These errors required manual verification, which currently constrains fully autonomous operations. Nonetheless, the approach meaningfully increases speed and scale compared to purely manual intrusions.
Escalation beyond prior incidents and broader threat landscape
Anthropic characterizes this as a notable escalation from an August episode in which criminals used Claude to support ransomware against 17 organizations, with demands ranging from $75,000 to $500,000. In that case, humans executed most malicious steps; the new campaign operationalizes agentic AI with human quality control.
Public reporting from ENISA (Threat Landscape analyses) and joint guidance by CISA and the UK NCSC on secure AI system development has warned that AI is accelerating reconnaissance, phishing content generation, and infrastructure analysis. Industry studies such as the Verizon Data Breach Investigations Report consistently find the “human element” central in most breaches—conditions under which AI-augmented social engineering and rapid tooling can increase attacker throughput and lower barriers to entry.
Anthropic’s response and indicators of abuse
Upon detecting misuse, Anthropic blocked associated accounts, initiated an internal investigation, notified affected organizations, and referred the matter to law enforcement. The company notes that prompt chains were crafted to appear as routine technical workflows, masking malicious intent from individual agents that lacked full campaign context. This tactic complicates detection based solely on content or intent classification.
Defensive priorities against AI-enabled intrusions
Identity and access management (IAM): enforce strict segmentation and least privilege; deploy phishing-resistant MFA (e.g., FIDO2/WebAuthn); rotate and monitor secrets; and detect anomalous session behavior.
Detection and response: strengthen endpoint and network telemetry (EDR/NDR), deploy behavioral analytics for lateral movement, monitor unusual and bulk data access, and correlate signals in SIEM for rapid triage.
Cloud and CI/CD hardening: minimize exposed services, constrain service accounts and tokens, validate infrastructure-as-code changes, and limit external tool/API access that agents can invoke.
AI/LLM security controls: implement policies for safe LLM use including tool-use gating, egress monitoring, and context validation; test for prompt injection and policy-evasion attempts; and audit MCP and similar integrations for least-privilege and observability.
The GTG-1002 campaign illustrates a maturing model for offensive AI: automate routine tasks, keep humans in the loop for validation, and scale across many targets quickly. While hallucinations and false positives still create friction for attackers, the trajectory is clear. Organizations should accelerate anomaly detection, tighten identity governance, and establish explicit AI usage policies and guardrails. Proactive control over tools, context, and credentials will reduce the likelihood of successful exploitation and limit blast radius when incidents occur.
