Blog Details

Researchers warn that a newly identified birth-provide AI security making an strive out platform known as CyberStrikeAI was feeble by the same threat actor on the abet of a most recent campaign that breached an whole bunch of Fortinet FortiGate firewalls.

Closing month, BleepingComputer reported on an AI-assisted hacking operation that compromised bigger than 500 FortiGate units in five weeks. The threat actor on the abet of this campaign feeble just a few servers, collectively with a web server at 212.11.64[.]250.

In a novel file, Senior Threat Intel Advertising consultant for Group Cymru, Will Thomas (aka BushidoToken), says that the linked IP tackle was noticed running the barely novel CyberStrikeAI AI-powered security making an strive out platform.

Inspecting NetFlow data, Group Cymru identified a “CyberStrikeAI” service banner running on port 8080 on 212.11.64[.]250 and saw community communications between that IP and Fortinet FortiGate units the threat actor focused. The FortiGate campaign infrastructure was closing seen running CyberStrikeAI on January 30, 2026.

CyberStrikeAI’s GitHub repository describes itself as an “AI-native security testing platform built in Go” that integrates over 100 security tools, an involving orchestration engine, predefined security roles, and a talents intention.

“Through native MCP protocol and AI agents, it enables end-to-end automation from conversational commands to vulnerability discovery, attack-chain analysis, knowledge retrieval, and result visualization—delivering an auditable, traceable, and collaborative testing environment for security teams,” reads the project description. The instrument entails an AI resolution engine properly matched with units equivalent to GPT, Claude, and DeepSeek, a password-protected web UI with audit logging and SQLite persistence, and a dashboard for vulnerability management, task orchestration, and assault-chain visualization.

Its tooling enables it to behavior a fat assault chain, collectively with community scanning (nmap, masscan), web and application making an strive out (sqlmap, nikto, gobuster), exploitation frameworks (metasploit, pwntools), password cracking tools (hashcat, john), and post-exploitation frameworks (mimikatz, bloodhound, impacket).

By combining these tools with AI agents and an orchestrator, CyberStrikeAI enables operators, even low-professional ones, to automate attacks against targets. Group Cymru warns that AI-native orchestration engines like this is able to tempo up automatic focusing on of exposed edge units, collectively with firewalls and VPN home equipment.

The researchers speak they noticed 21 authentic IP addresses running CyberStrikeAI between January 20 and February 26, 2026, with servers essentially hosted in China, Singapore, and Hong Kong. Additional infrastructure was noticed within the United States, Japan, and Europe. 

“As adversaries increasingly embrace AI-native orchestration engines, we expect to see a rise in automated, AI-driven targeting of vulnerable edge devices, similar to the observed reconnaissance and targeting of Fortinet FortiGate appliances,” explains Thomas.

“In the near future, defenders must be prepared for an environment where tools like CyberStrikeAI, alongside the developer’s other AI-assisted privilege escalation projects like PrivHunterAI and InfiltrateX, significantly lower the barrier to entry for complex network exploitation.”

The researchers also examined the profile of the CyberStrikeAI developer, who goes by the alias “Ed1s0nZ.”

In accordance with public repositories linked to the sage, the developer has labored on extra AI-assisted security tools, collectively with PrivHunterAI, which makes dispute of AI units to detect privilege escalation vulnerabilities, and InfiltrateX, a privilege escalation scanning instrument.

In line with Group Cymru, the developer’s GitHub dispute shows interactions with organizations beforehand linked to Chinese authorities–affiliated cyber operations.

In December 2025, the developer shared CyberStrikeAI with Knownsec 404’s “Starlink Project.” Knownsec is a Chinese cybersecurity agency with alleged links to the Chinese authorities.

On January 5, 2026, the developer talked about receiving a “CNNVD 2024 Vulnerability Reward Program – Level 2 Contribution Award” on their GitHub profile.

The China Nationwide Vulnerability Database (CNNVD) is believed to be operated by China’s intelligence neighborhood, which allegedly makes dispute of it to name vulnerabilities for its operations. Group Cymru says the reference to CNNVD was later eradicated from the developer’s profile.

The developer’s GitHub repositories are essentially written in Chinese, suggesting they’re a Chinese-speaking developer, and interplay with home cybersecurity organizations would no longer essentially be uncommon.

These novel AI-powered cybersecurity tools continue to novel how industrial AI companies are an increasing selection of feeble by threat actors to automate their attacks while, on the same time, reducing the barrier to entry.

Closing month, Google also reported that threat actors are abusing Gemini AI all the map by map of all phases of cyberattacks, empowering the abilities of threat actors of all skill ranges.