Hackers Leveraged CyberStrikeAI Tool to Breach Fortinet FortiGate Devices

A new artificial intelligence (AI) offensive security tool called CyberStrikeAI, which is being actively leveraged by threat actors to target edge devices, particularly Fortinet FortiGate appliances.

This open-source platform, developed by a China-based individual with potential ties to state-sponsored operations, represents a significant escalation in the weaponization of AI for cyber attacks.

According to its GitHub repository, CyberStrikeAI is an “AI-native security testing platform built in Go,” integrating over 100 security tools along with an intelligent orchestration engine.

It features role-based testing, specialized skills systems, and comprehensive lifecycle management capabilities, all accessible via a centralized dashboard.

The tool first garnered attention following a report by the Amazon CTI team, which identified AI-augmented infrastructure targeting FortiGate devices at scale.

CyberStrikeAI is an open-source offensive security tool (OST) written in Go and hosted publicly on GitHub under the profile “Ed1s0nZ.”

According to its own repository description, the platform is “an AI-native security testing platform built in Go” that integrates over 100 security tools alongside an intelligent orchestration engine, role-based testing, a specialized skills system, and comprehensive lifecycle management capabilities.

The tool features a web dashboard that allows operators to monitor platform state and manage active operations, significantly lowering the technical barrier to conducting large-scale, automated network exploitation campaigns.

Team Cymru’s analysis of a specific IP address shared by Amazon (212.11.64.250) revealed the presence of a “CyberStrikeAI” banner on an open port. By monitoring global NetFlow data, researchers observed this IP actively communicating with target Fortinet FortiGate devices, highlighting the platform’s role in network reconnaissance and exploitation.

While the CyberStrikeAI repository was initially established on November 8, 2025, active deployments remained scarce until early 2026. However, between January 20 and February 26, 2026, researchers tracked 21 unique IP addresses running the CyberStrikeAI platform.

This rapid proliferation indicates a sharp increase in operational usage. Geographically, these servers are heavily concentrated in Chinese-speaking regions, including China, Singapore, and Hong Kong, aligning with the developer’s background.

CyberStrikeAI Tool to Breach FortiGate Devices

The developer behind CyberStrikeAI, operating under the alias “Ed1s0nZ,” has a history of creating tools focused on exploitation and privilege escalation.

Their other GitHub projects include PrivHunterAI and InfiltrateX, which utilize AI engines to automate vulnerability detection, as well as a steganographic document watermarking tool.

More concerning are the developer’s documented interactions with entities linked to the Chinese Ministry of State Security (MSS). In December 2025, Ed1s0nZ submitted CyberStrikeAI to the Starlink Project managed by Knownsec 404, a private firm with known ties to the MSS and the Chinese People’s Liberation Army.

Additionally, in January 2026, the developer touted a “Level 2 Contribution Award” from the Chinese National Vulnerability Database (CNNVD), a program overseen by the MSS and widely regarded as a vehicle for the Chinese Communist Party to stockpile zero-day vulnerabilities.

Interestingly, Ed1s0nZ recently scrubbed this CNNVD reference from their profile, likely in an attempt to obscure these state connections as the tool gains notoriety.

The rapid adoption of CyberStrikeAI underscores a concerning evolution in the cybersecurity threat landscape. The platform significantly lowers the barrier to entry for complex network exploitation by automating reconnaissance and targeting through AI orchestration.

Given the developer’s affiliations, there is a high probability that CyberStrikeAI will be integrated into the arsenals of Chinese state-sponsored advanced persistent threat (APT) groups.

As threat actors increasingly embrace AI-native tools, defenders must prepare for a surge in automated, highly sophisticated attacks targeting vulnerable edge infrastructure.

Security teams are urged to proactively monitor their networks using available indicators of compromise and bolster defenses against AI-assisted exploitation techniques.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.