A recently discovered campaign targeting Fortinet FortiGate devices used an open-source AI-driven testing platform called CyberStrikeAI to automate attacks.
Researchers from Team Cymru traced the activity to an IP address used by a suspected Russian-speaking threat actor that performed large-scale scans for vulnerable devices. CyberStrikeAI is an AI-based offensive security tool developed by a China-based programmer known as Ed1s0nZ, who may have links to organizations connected to the Chinese government.
The activity gained attention after Amazon Threat Intelligence reported that attackers were systematically targeting FortiGate systems using generative AI services from Anthropic and DeepSeek, compromising more than 600 devices in 55 countries.
CyberStrikeAI, written in Go, integrates over 100 security tools for vulnerability discovery, attack analysis, and reporting. Researchers observed 21 IP addresses running the platform between January and February 2026, mainly hosted in China, Singapore, and Hong Kong.
The developer behind the tool has also published several other projects focused on exploitation and bypassing AI safeguards. Investigators say their GitHub activity suggests interactions with groups linked to Chinese state-backed cyber operations, including Knownsec 404, a security firm previously exposed in a major internal data leak.