Researchers warn {that a} newly recognized open-source AI safety testing platform known as CyberStrikeAI was utilized by the identical menace actor behind a current marketing campaign that breached a whole bunch of Fortinet FortiGate firewalls.
Final month, BleepingComputer reported on an AI-assisted hacking operation that compromised greater than 500 FortiGate units in 5 weeks. The menace actor behind this marketing campaign used a number of servers, together with an internet server at 212.11.64[.]250.
In a new report, Senior Menace Intel Advisor for Group Cymru, Will Thomas (aka BushidoToken), says that the identical IP tackle was noticed working the comparatively new CyberStrikeAI AI-powered safety testing platform.
Analyzing NetFlow information, Group Cymru recognized a “CyberStrikeAI” service banner working on port 8080 on 212.11.64[.]250 and noticed community communications between that IP and Fortinet FortiGate units the menace actor focused. The FortiGate marketing campaign infrastructure was final seen working CyberStrikeAI on January 30, 2026.
CyberStrikeAI’s GitHub repository describes itself as an “AI-native safety testing platform inbuilt Go” that integrates over 100 safety instruments, an clever orchestration engine, predefined safety roles, and a expertise system.
“Via native MCP protocol and AI brokers, it permits end-to-end automation from conversational instructions to vulnerability discovery, attack-chain evaluation, data retrieval, and outcome visualization—delivering an auditable, traceable, and collaborative testing setting for safety groups,” reads the undertaking description. The device consists of an AI resolution engine appropriate with fashions akin to GPT, Claude, and DeepSeek, a password-protected net UI with audit logging and SQLite persistence, and a dashboard for vulnerability administration, job orchestration, and attack-chain visualization.
Its tooling permits it to conduct a full assault chain, together with community scanning (nmap, masscan), net and software testing (sqlmap, nikto, gobuster), exploitation frameworks (metasploit, pwntools), password cracking instruments (hashcat, john), and post-exploitation frameworks (mimikatz, bloodhound, impacket).
By combining these instruments with AI brokers and an orchestrator, CyberStrikeAI permits operators, even low-skilled ones, to automate assaults in opposition to targets. Group Cymru warns that AI-native orchestration engines like this might speed up automated focusing on of uncovered edge units, together with firewalls and VPN home equipment.
The researchers say they noticed 21 distinctive IP addresses working CyberStrikeAI between January 20 and February 26, 2026, with servers primarily hosted in China, Singapore, and Hong Kong. Extra infrastructure was noticed in america, Japan, and Europe.
“As adversaries more and more embrace AI-native orchestration engines, we anticipate to see an increase in automated, AI-driven focusing on of weak edge units, just like the noticed reconnaissance and focusing on of Fortinet FortiGate home equipment,” explains Thomas.
“Within the close to future, defenders should be ready for an setting the place instruments like CyberStrikeAI, alongside the developer’s different AI-assisted privilege escalation initiatives like PrivHunterAI and InfiltrateX, considerably decrease the barrier to entry for complicated community exploitation.”
The researchers additionally examined the profile of the CyberStrikeAI developer, who goes by the alias “Ed1s0nZ.”
Based mostly on public repositories linked to the account, the developer has labored on further AI-assisted safety instruments, together with PrivHunterAI, which makes use of AI fashions to detect privilege escalation vulnerabilities, and InfiltrateX, a privilege escalation scanning device.
In accordance with Group Cymru, the developer’s GitHub exercise reveals interactions with organizations beforehand linked to Chinese language authorities–affiliated cyber operations.
In December 2025, the developer shared CyberStrikeAI with Knownsec 404’s “Starlink Mission.” Knownsec is a Chinese language cybersecurity agency with alleged hyperlinks to the Chinese language authorities.
On January 5, 2026, the developer talked about receiving a “CNNVD 2024 Vulnerability Reward Program – Degree 2 Contribution Award” on their GitHub profile.
The China Nationwide Vulnerability Database (CNNVD) is believed to be operated by China’s intelligence neighborhood, which allegedly makes use of it to determine vulnerabilities for its operations. Group Cymru says the reference to CNNVD was later faraway from the developer’s profile.
The developer’s GitHub repositories are primarily written in Chinese language, suggesting they’re a Chinese language-speaking developer, and interplay with home cybersecurity organizations wouldn’t essentially be uncommon.
These new AI-powered cybersecurity instruments proceed to show how industrial AI companies are more and more utilized by menace actors to automate their assaults whereas, on the identical time, reducing the barrier to entry.
Final month, Google additionally reported that menace actors are abusing Gemini AI throughout all levels of cyberattacks, empowering the talents of menace actors of all ability ranges.
Malware is getting smarter. The Crimson Report 2026 reveals how new threats use math to detect sandboxes and conceal in plain sight.
Obtain our evaluation of 1.1 million malicious samples to uncover the highest 10 strategies and see in case your safety stack is blinded.
