AI Cyber Warfare: Hackers Embrace CyberStrikeAI for Advanced Attacks

The Rise of AI-Powered Cybersecurity Tools in 2026

In the realm of cybersecurity, researchers have uncovered a concerning development involving a newly discovered open-source AI security testing platform known as CyberStrikeAI. This platform has been linked to a recent hacking campaign that successfully breached over 500 Fortinet FortiGate firewalls within a span of five weeks.

The threat actor responsible for this campaign utilized various servers, including one hosted at the IP address 212.11.64[.]250. Senior Threat Intel Advisor for Team Cymru, Will Thomas, also known as BushidoToken, has identified this same IP address as running CyberStrikeAI, an AI-powered security testing platform.

Through the analysis of NetFlow data, Team Cymru observed the CyberStrikeAI service banner operating on port 8080 on 212.11.64[.]250. This platform was seen communicating with the Fortinet FortiGate devices targeted by the threat actor. The CyberStrikeAI-infrastructure was last active on January 30, 2026.

CyberStrikeAI, as described on its GitHub repository, is an AI-native security testing platform built in Go. It boasts integration with over 100 security tools, an intelligent orchestration engine, predefined security roles, and a skills system.

The platform’s capabilities include conducting a full attack chain, encompassing network scanning, web and application testing, exploitation frameworks, password cracking tools, and post-exploitation frameworks. By amalgamating these tools with AI agents and an orchestrator, CyberStrikeAI empowers operators, even those with limited expertise, to automate attacks on targets.

Team Cymru warns that the proliferation of AI-native orchestration engines like CyberStrikeAI could expedite automated targeting of exposed edge devices such as firewalls and VPN appliances.

Interestingly, researchers observed 21 unique IP addresses running CyberStrikeAI between January 20 and February 26, 2026, with servers predominantly hosted in China, Singapore, and Hong Kong. Additional infrastructure was identified in the United States, Japan, and Europe.

The developer behind CyberStrikeAI, known as “Ed1s0nZ,” has also contributed to other AI-assisted security tools like PrivHunterAI and InfiltrateX. These tools focus on detecting privilege escalation vulnerabilities and privilege escalation scanning, respectively.

Based on the developer’s GitHub activity, interactions with organizations associated with Chinese government-affiliated cyber operations have been noted. Notably, the developer shared CyberStrikeAI with Knownsec 404’s “Starlink Project,” a Chinese cybersecurity firm with alleged government ties.

Furthermore, the mention of receiving a “CNNVD 2024 Vulnerability Reward Program – Level 2 Contribution Award” on the developer’s GitHub profile raises suspicions. The China National Vulnerability Database (CNNVD) is believed to be operated by China’s intelligence community for identifying vulnerabilities.

These developments underscore the increasing utilization of commercial AI services by threat actors to automate attacks, thereby lowering the barrier to entry. Google’s recent report also highlights the abuse of Gemini AI by threat actors across all stages of cyberattacks, showcasing the evolution of cyber threats in the digital landscape.