CyberStrikeAI
CyberStrikeAI is an open-source, AI-native offensive security/testing platform (OST) written in Go and hosted on GitHub (maintained by a China-based developer using the alias “Ed1s0nZ”). It integrates 100+ security tools and provides AI-driven orchestration for vulnerability discovery, attack-chain analysis, knowledge retrieval, result visualization, and a web dashboard for monitoring operations; reporting states it lowers the barrier to large-scale automated exploitation.
Threat activity: Team Cymru reported CyberStrikeAI being leveraged in an AI-assisted campaign targeting edge devices, particularly Fortinet FortiGate appliances. In that reporting, automated mass scanning for vulnerable FortiGate devices was associated with IP 212.11.64[.]250 (attributed in the report to a suspected Russian-speaking threat actor). Team Cymru identified a “CyberStrikeAI” banner on an exposed host and, via global NetFlow monitoring, observed communications between 212.11.64.250 and FortiGate targets. Amazon Threat Intelligence previously reported an unknown attacker using generative AI services (including Anthropic Claude and DeepSeek) to compromise more than 600 FortiGate appliances across 55 countries.
Infrastructure observations: Between January 20 and February 26, 2026, Team Cymru observed 21 unique IPs running CyberStrikeAI, primarily hosted in China, Singapore, and Hong Kong, with additional servers in the United States, Japan, and Switzerland.
Attribution/associations (as reported): Team Cymru assessed CyberStrikeAI had ties to a China-based developer with possible links to Chinese government–aligned organizations, including entities tied to China’s Ministry of State Security (MSS). Reporting noted interactions with Knownsec 404 (described by DomainTools as a state-aligned cyber contractor) and that the developer removed references to CNNVD recognition (CNNVD described as overseen by the MSS), suggesting an effort to obscure potential state associations.
Indicators explicitly mentioned in the content: IP address 212.11.64[.]250 (CyberStrikeAI banner; FortiGate-targeting scanning/communications).
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
3 distinct techniques documented for this family, organized by ATT&CK tactic.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An open-source AI-enabled offensive security tool discussed as potentially having China-linked developer ties (per the source).
An open-source, Go-based AI-augmented offensive security/testing platform that integrates 100+ security tools to support vulnerability discovery, attack-chain analysis, knowledge retrieval, and visualization; observed being used for automated mass scanning of vulnerable Fortinet FortiGate appliances.
An open-source, Go-based AI-orchestrated offensive security platform that integrates 100+ security tools and provides a web dashboard to automate and scale reconnaissance and exploitation against targets (notably Fortinet FortiGate edge devices), lowering the barrier for large-scale automated network exploitation.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.