Hackers Unleash AI-Powered Attacks with CyberStrikeAI
▼ Summary
– The same threat actor who breached hundreds of Fortinet firewalls was observed using a new open-source AI security testing platform called CyberStrikeAI.
– CyberStrikeAI is an AI-native platform that integrates over 100 security tools, enabling automated attack chains from reconnaissance to exploitation.
– Researchers warn such AI orchestration engines lower the skill barrier and could accelerate automated attacks on exposed edge devices like firewalls.
– The developer of CyberStrikeAI, using the alias “Ed1s0nZ,” has links to Chinese cybersecurity organizations and has received an award from the China National Vulnerability Database (CNNVD).
– This incident exemplifies a broader trend of threat actors increasingly using commercial AI services to automate and enhance cyberattacks at all skill levels.
A newly identified open-source platform is lowering the barrier for cyberattacks, enabling even low-skilled threat actors to automate complex intrusions. Security researchers have linked a tool called CyberStrikeAI to a recent campaign that successfully breached hundreds of Fortinet FortiGate firewalls. The same infrastructure used in that widespread attack was found running this AI-native security testing platform, highlighting a dangerous shift towards automated, AI-driven exploitation.
Last month, a report detailed a hacking operation that compromised over five hundred FortiGate devices within just five weeks. The threat actor behind this campaign utilized several servers, including one with the IP address 212.11.64[.]250. In a new analysis, Team Cymru’s Senior Threat Intel Advisor, Will Thomas, states this identical IP address was observed operating the relatively new CyberStrikeAI platform. By examining network flow data, researchers identified a service banner for CyberStrikeAI on port 8080 and confirmed communications between that server and the targeted Fortinet devices. The infrastructure supporting the firewall campaign was last seen running this AI tool on January 30, 2026.
The GitHub repository for CyberStrikeAI describes it as an AI-native platform built in the Go programming language. It integrates more than a hundred security tools with an intelligent orchestration engine, predefined roles, and a skills system. The project claims to enable end-to-end automation from simple conversational commands all the way through to vulnerability discovery, attack analysis, and result visualization. It is designed to provide an auditable and collaborative testing environment for security professionals. The platform includes an AI decision engine compatible with major models like GPT and Claude, a password-protected web interface with logging, and a comprehensive dashboard for managing vulnerabilities and visualizing attack chains.
Its integrated toolset allows it to execute a complete attack sequence. This includes network scanning with tools like nmap, web application testing with sqlmap, exploitation via frameworks like Metasploit, password cracking with Hashcat, and post-exploitation activities using Mimikatz and Bloodhound. By weaving these tools together with AI agents and an orchestrator, CyberStrikeAI empowers operators to automate sophisticated attacks against selected targets. Analysts warn that such AI-native orchestration engines could significantly accelerate the automated targeting of exposed edge devices, including firewalls and VPN appliances.
Between January 20 and February 26, 2026, researchers observed twenty-one unique IP addresses running CyberStrikeAI instances. These servers were primarily hosted in China, Singapore, and Hong Kong, with additional infrastructure located in the United States, Japan, and Europe. Thomas explains that as adversaries adopt these AI-native engines, the security community should anticipate a rise in automated targeting of vulnerable edge devices, similar to the reconnaissance seen against Fortinet appliances. Defenders must prepare for a landscape where tools like CyberStrikeAI dramatically lower the skill threshold required for complex network exploitation.
The developer behind CyberStrikeAI uses the alias “Ed1s0nZ.” Public repositories linked to this account show work on other AI-assisted security tools, including PrivHunterAI for detecting privilege escalation vulnerabilities and InfiltrateX, a privilege escalation scanner. The developer’s GitHub activity indicates interactions with organizations previously associated with cyber operations linked to the Chinese government. In December 2025, the developer shared CyberStrikeAI with the “Starlink Project” run by Knownsec 404, a Chinese cybersecurity firm. Furthermore, the developer’s profile once mentioned receiving a contribution award from the China National Vulnerability Database (CNNVD), an entity believed to be operated by China’s intelligence community. This reference was later removed. The developer’s repositories are primarily in Chinese, and interaction with domestic cybersecurity organizations is not unusual in that context.
These developments underscore how commercially available AI services are being repurposed by threat actors to automate attacks. This trend empowers malicious actors across the skill spectrum. Last month, Google reported that threat actors are abusing its Gemini AI across all stages of cyberattacks, further confirming that AI is becoming a powerful force multiplier in the hands of adversaries.
(Source: Bleeping Computer)
