CyberStrikeAI tool adopted by hackers for AI-powered attacks
Source: Bleeping Computer
Image: AI‑assisted hacking operation
Background
- Previous breach – Last month, BleepingComputer reported an AI‑assisted hacking operation that compromised >500 FortiGate devices in five weeks. The campaign used multiple servers, including a web server at
212.11.64[.]250【source】. - New report – In a follow‑up post, Team Cymru’s Senior Threat Intel Advisor Will Thomas (aka BushidoToken) observed the same IP address running the CyberStrikeAI platform【source】.
How CyberStrikeAI Was Detected
- NetFlow analysis revealed a “CyberStrikeAI” service banner on port 8080 of
212.11.64[.]250. - Network traffic between this IP and the targeted FortiGate devices was observed.
- The infrastructure was last seen running CyberStrikeAI on 30 January 2026.
CyberStrikeAI Overview
- GitHub repository: (link not provided in source)
- Described as an “AI‑native security testing platform built in Go.”
- Integrates 100+ security tools, an intelligent orchestration engine, predefined security roles, and a skills system.
“Through native MCP protocol and AI agents, it enables end‑to‑end automation from conversational commands to vulnerability discovery, attack‑chain analysis, knowledge retrieval, and result visualization—delivering an auditable, traceable, and collaborative testing environment for security teams.” – Project description
Core Features
| Feature | Details |
|---|---|
| AI decision engine | Supports models such as GPT, Claude, and DeepSeek |
| Web UI | Password‑protected, audit‑logged, SQLite persistence |
| Dashboard | Vulnerability management, task orchestration, attack‑chain visualization |
| Toolchain | - Network scanning: nmap, masscan- Web/app testing: sqlmap, nikto, gobuster- Exploitation: metasploit, pwntools- Password cracking: hashcat, john- Post‑exploitation: mimikatz, bloodhound, impacket |
| Automation | AI agents + orchestrator enable low‑skill operators to launch full attack chains |
Observed Deployment
- 21 unique IPs ran CyberStrikeAI between 20 January – 26 February 2026.
- Primary hosting locations: China, Singapore, Hong Kong; additional nodes in the United States, Japan, and Europe.
“As adversaries increasingly embrace AI‑native orchestration engines, we expect a rise in automated, AI‑driven targeting of vulnerable edge devices, similar to the observed reconnaissance and targeting of Fortinet FortiGate appliances.” – Will Thomas
Developer Profile: Ed1s0nZ
- Alias: Ed1s0nZ
- Other tools:
- PrivHunterAI – AI‑driven privilege‑escalation vulnerability detection.
- InfiltrateX – Privilege‑escalation scanning framework.
- Affiliations:
- Interacted with organizations linked to Chinese government‑affiliated cyber operations.
- Shared CyberStrikeAI with Knownsec 404’s “Starlink Project” (a Chinese cybersecurity firm with alleged state ties).
- Awards: Mentioned a “CNNVD 2024 Vulnerability Reward Program – Level 2 Contribution Award” on GitHub (later removed).
- Language: Repositories primarily written in Chinese, indicating a Chinese‑speaking developer.
Implications
- Lowered barrier to entry: AI‑native orchestration engines like CyberStrikeAI enable even low‑skill actors to automate sophisticated attack chains.
- Edge‑device risk: Automated targeting of exposed firewalls, VPN appliances, and other edge devices is likely to increase.
- Future threats: Similar tools (e.g., PrivHunterAI, InfiltrateX) could further accelerate AI‑driven exploitation.
Related Reports
- FortiGate breach (BleepingComputer)
- Team Cymru analysis
- Google Gemini abuse
Image: Red report graphic
Red Report 2026: Why Ransomware Encryption Dropped 38%
Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.