Full Report
Researchers warn that a newly identified open-source AI security testing platform called CyberStrikeAI was used by the same threat actor behind a recent campaign that breached hundreds of Fortinet FortiGate firewalls. [...]
Analysis Summary
# Threat Actor: Unnamed Developer/Actor (Associated with "Ed1s0nZ")
## Attribution & Identity
* **Developer Alias:** Ed1s0nZ (GitHub)
* **Suspected Affiliation:** Likely Chinese-nexus. The actor has direct interactions with **Knownsec 404** (via the "Starlink Project"), a firm with alleged links to Chinese state-sponsored cyber espionage.
* **Government Links:** The developer claimed to receive a "Level 2 Contribution Award" from the **CNNVD** (China National Vulnerability Database), an entity believed to be operated by Chinese intelligence for vulnerability stockpiling.
* **Associated Groups:** Interactions with Chinese cybersecurity contractor ecosystems.
## Activity Summary
* **FortiGate Exploitation Campaign (Jan–Feb 2026):** The actor utilized a multi-server infrastructure to breach over 500 Fortinet FortiGate firewalls within a five-week period.
* **AI-Orchestrated Attacks:** Integration of the "CyberStrikeAI" platform to automate the attack chain, from reconnaissance to vulnerability discovery and exploitation.
* **Tool Development:** Continuous development of AI-native hacking tools including `PrivHunterAI` and `InfiltrateX`.
## Tactics, Techniques & Procedures
* **AI-Native Orchestration:** Using Large Language Models (GPT, Claude, DeepSeek) via the MCP protocol to automate decision-making during attacks.
* **Automated Reconnaissance:** Large-scale scanning of edge devices and VPN appliances.
* **Attack Chain Automation:**
* **Network Scanning:** nmap, masscan
* **Web/App Testing:** sqlmap, nikto, gobuster
* **Exploitation:** Metasploit, pwntools
* **Credential Attacks:** hashcat, john (John the Ripper)
* **Post-Exploitation:** Mimikatz, Bloodhound, Impacket
* **MITRE ATT&CK IDs (Inferred):**
* T1190 – Exploit Public-Facing Application
* T1595 – Active Scanning
* T1078 – Valid Accounts (via password cracking)
* T1548 – Abuse Elevation Control Mechanism (Privilege Escalation via AI)
## Targeting
* **Sectors:** Broad targeting of organizations utilizing vulnerable edge infrastructure; likely focused on sectors of interest to Chinese intelligence.
* **Geography:** Global reach, specifically targeting devices in the United States, Europe, Japan, and Southeast Asia.
* **Victims:** Over 500 Fortinet FortiGate firewall instances confirmed breached in early 2026.
## Tools & Infrastructure
* **Primary Tool:** **CyberStrikeAI** – An open-source, Go-based AI security testing platform.
* **Additional Tools:**
* `PrivHunterAI`: AI-assisted privilege escalation vulnerability detection.
* `InfiltrateX`: Privilege escalation scanning tool.
* **Infrastructure:**
* 212.11.64[.]250 (Web server running CyberStrikeAI on port 8080).
* 21 unique IP addresses identified across China, Singapore, Hong Kong, USA, and Japan.
## Implications
The adoption of AI-native orchestration engines like CyberStrikeAI signifies a paradigm shift where the barrier to entry for complex, multi-stage network exploitation is significantly lowered. By automating the "decision engine" of a hack, even low-skilled operators can execute rapid, sophisticated campaigns against critical edge infrastructure. This leads to an increased volume and velocity of attacks that traditional manual defense postures may struggle to contain.
## Mitigations
* **Edge Device Hardening:** Prioritize patching of Fortinet FortiGate and other VPN/firewall appliances. Review and restrict administrative interfaces (e.g., port 443/10443) from the public internet.
* **Service Banner Monitoring:** Scrutinize network logs for unique service banners associated with AI-orchestration tools (e.g., "CyberStrikeAI" on port 8080).
* **Behavioral Identity Analysis:** Monitor for rapid, automated transitions between scanning, exploitation, and post-exploitation tools (e.g., Nmap followed immediately by Impacket/Mimikatz).
* **Geofencing:** Implement strict geo-blocking or enhanced monitoring for traffic originating from infrastructure providers in high-risk regions mentioned (China, Hong Kong, Singapore) if not required for business operations.