Researchers have identified the tool used in a recent AI-assisted cyberattack campaign targeting Fortinet FortiGate appliances: an open-source platform called CyberStrikeAI, developed by a China-based programmer with assessed ties to the Chinese government.
The attribution comes from Team Cymru, which traced the tool’s use to an IP address linked to a suspected Russian-speaking threat actor. That actor had been conducting automated mass scanning for vulnerable FortiGate devices. The overlap between a Russian-speaking operator and a Chinese-developed tool points to the increasingly decentralized nature of offensive cyber infrastructure — where tools built in one country are readily adopted by actors elsewhere.
CyberStrikeAI first drew wider attention last month, when Amazon Threat Intelligence reported that an unknown attacker had systematically targeted FortiGate appliances using generative AI services including Anthropic Claude and DeepSeek. The campaign compromised over 600 appliances across 55 countries. What Amazon identified as the attack’s AI-assisted character, Team Cymru has now given a specific tooling context.
The platform itself is built in Go and hosted on GitHub under the alias Ed1s0nZ. According to its repository description, it integrates more than 100 security tools and supports vulnerability discovery, attack-chain analysis, knowledge retrieval, and result visualization. Between January 20 and February 26, 2026, Team Cymru observed 21 unique IP addresses running CyberStrikeAI, with servers concentrated in China, Singapore, and Hong Kong, and additional instances detected in the U.S., Japan, and Switzerland.
The developer behind the tool has a notable digital footprint. Security researcher Will Thomas assessed that Ed1s0nZ has interacted with organizations connected to Chinese government-sponsored cyber operations, including private sector firms with known ties to the Ministry of State Security. One such organization is Knownsec 404, a Chinese security vendor that experienced a significant document leak late last year. That leak exposed employee records, government clientele, hacking tools, and stolen data from South Korean and Taiwanese sources, along with details of active cyber operations. A subsequent analysis described Knownsec as a “state-aligned cyber contractor” with a shadow organization serving the PLA and MSS — far removed from its public-facing role as a conventional security company.
Ed1s0nZ has also been quietly editing their GitHub profile. References to receiving a Level 2 Contribution Award from China’s National Vulnerability Database of Information Security — an entity overseen by the Ministry of State Security — have been removed. The scrubbing, Thomas noted, appears designed to obscure state connections as the tool’s visibility grows.
More Read
China’s two parallel vulnerability databases carry relevant context here. CNNVD, the MSS-controlled database, has previously been found to delay publication of higher-severity vulnerabilities — a pattern researchers interpret as deliberate, preserving those vulnerabilities for potential operational use before public disclosure closes the window.
CyberStrikeAI sits at an intersection that security researchers have flagged as increasingly consequential: open-source offensive tools fused with AI capabilities, distributed through public repositories, and apparently developed within an ecosystem that has documented ties to state intelligence infrastructure. The tool’s current adoption spans multiple countries and operator types. That breadth, more than any single incident, reflects how AI-augmented offensive tooling is now moving through the threat landscape — not through tightly controlled channels, but through the same open platforms anyone can access.
Photo by Towfiqu barbhuiya on Unsplash
This article is a curated summary based on third-party sources. Source: Read the original article
