Team Cymru has revealed that threat actors behind the recent AI-assisted campaign targeting Fortinet FortiGate appliances leveraged an open-source, AI-native security testing platform called CyberStrikeAI to execute mass automated attacks, compromising over 600 devices across 55 countries.
Key Findings
The investigation traced back to IP address 212.11.64[.]250, used by a suspected Russian-speaking threat actor for automated mass scanning of vulnerable FortiGate appliances. Analysis revealed the attacker’s use of CyberStrikeAI, an offensive security tool with concerning ties to Chinese state-sponsored operations.
What is CyberStrikeAI?
CyberStrikeAI is described as an “open-source artificial intelligence (AI) offensive security tool (OST)” developed by Ed1s0nZ, a China-based developer with suspected ties to the Chinese government. According to its GitHub repository, the tool:
- Built in Go programming language
- Integrates over 100 security tools
- Enables vulnerability discovery, attack-chain analysis, knowledge retrieval, and result visualization
- Leverages AI for automated offensive operations
Infrastructure Analysis
Team Cymru observed 21 unique IP addresses running CyberStrikeAI between January 20 and February 26, 2026. Servers were primarily hosted in:
- China
- Singapore
- Hong Kong
- Additional servers detected in the U.S., Japan, and Switzerland
Developer’s Suspicious Portfolio
The Ed1s0nZ GitHub account hosts several concerning tools demonstrating advanced offensive capabilities:
- banana_blackmail — Golang-based ransomware
- PrivHunterAI — Uses Kimi, DeepSeek, and GPT models to detect privilege escalation vulnerabilities
- ChatGPTJailbreak — Prompts designed to bypass OpenAI safety measures via “DAN mode”
- InfiltrateX — Scanner for detecting privilege escalation vulnerabilities
- VigilantEye — Monitors for sensitive data exposure with WeChat Work bot alerts
China Government Ties
The developer has documented interactions with Knownsec 404, a Chinese security vendor that suffered a major data breach exposing:
- Employee data
- Government clientele
- Hacking tools
- Stolen data including South Korean call logs
- Information on Taiwan’s critical infrastructure organizations
- Ongoing cyber operations against other countries
DomainTools described Knownsec as a “state-aligned cyber contractor” supporting Chinese national security, intelligence, and military objectives through tools like ZoomEye and Critical Infrastructure Target Library.
Covering Tracks
Ed1s0nZ has been observed actively removing references to being honored with the Level 2 Contribution Award to CNNVD (China National Vulnerability Database of Information Security) — the vulnerability database overseen by China’s Ministry of State Security. The developer now claims “everything shared here is purely for research and learning.”
Why This Matters
This case represents a concerning evolution in the proliferation of AI-augmented offensive security tools:
- Open-source accessibility — Tools like CyberStrikeAI lower the barrier for sophisticated attacks
- AI acceleration — Generative AI integration enables rapid vulnerability discovery and exploitation
- State-nexus development — Tools developed by individuals with apparent government ties are being released publicly
- Cross-pollination — Russian-speaking threat actors leveraging Chinese-developed tools demonstrates growing collaboration
Recommendations
Organizations running FortiGate appliances should:
- Apply all security patches immediately
- Audit for signs of compromise using known IOCs
- Monitor for suspicious scanning activity from the identified infrastructure
- Consider implementing network segmentation to limit lateral movement
- Review logging and detection capabilities for AI-powered attack patterns
As security researcher Will Thomas noted: “The adoption of CyberStrikeAI is poised to accelerate, representing a concerning evolution in the proliferation of AI-augmented offensive security tools.”
Source: The Hacker News / Team Cymru
