The threat actor responsible for the newly reported AI‑enabled campaign targeting Fortinet FortiGate appliances is believed to have used an open‑source, AI‑native security testing platform called CyberStrikeAI to carry out the attacks.
These findings come from Team Cymru, which traced the platform’s use back to the IP address 212.11.64[.]250, linked to a suspected Russian‑speaking actor conducting large‑scale automated scans for vulnerable FortiGate devices.
According to security researcher Will Thomas (@BushidoToken), CyberStrikeAI is an “open-source offensive AI security tool” created by a China‑based developer who appears to have connections to the Chinese government.
The AI‑driven activity first surfaced last month when Amazon Threat Intelligence reported that an unidentified attacker was systematically exploiting FortiGate systems using generative AI services such as Anthropic Claude and DeepSeek, compromising more than 600 devices across 55 countries.
The tool’s GitHub description states that CyberStrikeAI is written in Go and integrates over 100 security tools for vulnerability detection, attack‑chain evaluation, knowledge retrieval, and visualization. It is maintained by a developer operating under the alias Ed1s0nZ.
Between January 20 and February 26, 2026, Team Cymru identified 21 distinct IP addresses running CyberStrikeAI, primarily hosted in China, Singapore, and Hong Kong, with additional infrastructure in the U.S., Japan, and Switzerland. Beyond CyberStrikeAI, the developer’s GitHub profile includes several other tools focused on exploitation and AI model manipulation, such as:
- watermark-tool – embeds invisible digital watermarks into documents.
- banana_blackmail – ransomware built in Go.
- PrivHunterAI – uses Kimi, DeepSeek, and GPT models to identify privilege escalation risks.
- ChatGPTJailbreak – includes prompts designed to bypass ChatGPT’s safety systems.
- InfiltrateX – a Go-based scanner for privilege escalation vulnerabilities.
- VigilantEye – monitors databases for leaked sensitive data and alerts via WeChat Work.
Thomas notes that the developer’s GitHub activity suggests engagement with organizations linked to Chinese state‑sponsored cyber operations. This includes companies with known ties to China’s Ministry of State Security (MSS).
One such firm, Knownsec 404, was at the center of a major leak last year that exposed more than 12,000 internal files—including employee and customer data, intelligence on foreign targets, hacking tools, stolen datasets, and insights into ongoing cyber operations against multiple countries.
A January analysis by DomainTools described Knownsec as a “state‑aligned cyber contractor” supporting China’s national security and military objectives. The leak revealed an internal shadow organization working for the PLA, MSS, and other state entities, and tools like ZoomEye and the Critical Infrastructure Target Library that provide China with extensive global reconnaissance capabilities.
The developer, Ed1s0nZ, has also recently edited a GitHub README.md file to remove references to receiving a Level 2 Contribution Award from the China National Vulnerability Database of Information Security (CNNVD). The developer insists their tools are for “research and learning” purposes.
Research from Bitsight indicates China operates two main vulnerability databases:
- CNNVD, overseen by the Ministry of State Security.
- CNVD, managed by CNCERT.
Past reporting from Recorded Future shows CNNVD often delays publishing high‑severity vulnerabilities compared to lower‑severity ones.
Thomas concludes that the developer’s recent efforts to remove connections to CNNVD point to an attempt to hide state affiliations as CyberStrikeAI’s usage increases. He warns that its growing adoption signals a worrisome trend in the spread of AI‑enhanced offensive security tools.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
