The recent surge of AI-assisted cyberattacks against Fortinet FortiGate appliances has been traced to an open-source, AI-native security testing platform named CyberStrikeAI. This discovery, made by Team Cymru, sheds light on how threat actors are leveraging sophisticated artificial intelligence tools for malicious purposes. The platform was identified through the analysis of an IP address associated with automated scanning of vulnerable devices.
Amazon Threat Intelligence initially flagged the advanced AI-powered campaign last month, noting the systematic targeting of FortiGate devices. The attackers reportedly utilized generative AI services like Anthropic Claude and DeepSeek, leading to the compromise of over 600 appliances across 55 countries. This sophisticated approach marks a significant evolution in the tactical repertoires of cybercriminals.
CyberStrikeAI: An AI-Powered Offensive Security Tool
CyberStrikeAI, developed by a China-based developer who security researcher Will Thomas indicates may have ties to the Chinese government, is an open-source offensive security tool. Built in Go, it integrates over 100 security tools to facilitate vulnerability discovery, attack-chain analysis, knowledge retrieval, and visualization of findings. The platform is maintained by a developer known online as Ed1s0nZ.
Team Cymru observed 21 distinct IP addresses running CyberStrikeAI between January 20 and February 26, 2026. Servers hosting the platform were primarily located in China, Singapore, and Hong Kong, with additional related servers detected in the United States, Japan, and Switzerland. This widespread distribution suggests a broad operational reach for the tool.
The Ed1s0nZ Ecosystem and Potential State Ties
Beyond CyberStrikeAI, the Ed1s0nZ GitHub account hosts several other tools that demonstrate a focus on exploitation and AI model manipulation. These include watermark-tool for document watermarking, banana_blackmail a Golang-based ransomware, and PrivHunterAI which uses AI models to detect privilege escalation vulnerabilities. ChatGPTJailbreak also appears in the repository, containing prompts designed to circumvent OpenAI’s ChatGPT security measures.
InfiltrateX, another Golang-based tool, focuses on identifying privilege escalation vulnerabilities. VigilantEye, meanwhile, is designed to monitor databases for sensitive information disclosures, such as phone numbers and ID card numbers, and can send alerts via a WeChat Work bot. These tools collectively suggest a deep technical capability and a focus on offensive security operations.
Will Thomas’s analysis suggests that Ed