A serious cybersecurity threat involving the advanced use of Large Language Models (LLMs) in ongoing intrusion campaigns surfaced in early February 2026. A complex software pipeline where threat actors incorporated DeepSeek and Claude into their attack workflows was made visible by a misconfigured server. This finding reveals a perilous development in contemporary cybercrime, where AI tools are integrated into the kill chain to automate intricate offensive tasks against targets around the world in addition to producing text.

The attack infrastructure used stolen configuration data to successfully breach networks, focusing on FortiGate SSL VPN appliances. The operators were able to map internal infrastructures and locate vital assets by using these compromised credentials.

By using specially designed tools to plan these attacks, the operation was able to process thousands of targets at once without needing human assistance at each stage of the intrusion process. There is proof that more than 2,500 devices from 106 different countries were processed in batches. Cyber and Ramen analysts discovered that the threat actors employed a two-pronged strategy, utilizing Claude's coding skills to carry out vulnerability assessments and DeepSeek to produce strategic attack plans based on reconnaissance data.

Even inexperienced operators were able to effectively handle a large number of intrusions thanks to this degree of automation. Automated Process for Exploitation Two unique parts called ARXON and CHECKER2 form the basis of this operation.

ARXON serves as a Model Context Protocol (MCP) server, and CHECKER2 is a Docker-based orchestrator that manages parallel VPN scanning. By using this bridge, the attackers can supply the LLMs with particular network data, which the LLMs can use to generate actionable exploitation steps. The intrusion chain diagram, for example, shows how the system progresses from initial access to active exploitation.

Chain of intrusion (Source: Ramen and Cyber) The system uses Claude to run malicious tools like Impacket and Metasploit on its own once it has gained access to a network. The model documents its findings and recommends prioritized next steps, like escalating privileges, as shown in the redacted excerpt of the vulnerability assessment report that was discovered on the server.

A redacted excerpt from the server's vulnerability assessment report (Source: Cyber and Ramen) The publicly available logs attest to the automated system's active targeting of a variety of industries, including telecommunications. snippet of deploy_output's contents.log displaying thousands of targets worldwide (Source: Ramen and Cyber) Organizations must prioritize patching edge devices right away in order to mitigate these AI-driven threats because automated attacks move quickly and there is little time for delay. Security teams should keep an eye out for unexpected SSH sessions and routinely audit VPN user accounts for unauthorized creations.

Additionally, to identify the subtle changes typical of this campaign, network configurations can be checked against established baselines., LinkedIn, and X to Get More Instant Updates, Set ZeroOwl as a Preferred Source in Google.