CyberStrikeAI: Chinese-Linked AI Attack Platform Compromises 600+ FortiGate Devices Across 55 Countries

Between January and February 2026, a Russian-speaking threat actor exploited an open-source AI-powered attack platform to systematically compromise more than 600 Fortinet FortiGate appliances spread across 55 countries. No zero-day vulnerability was required. Weak credentials and exposed management interfaces were enough — because artificial intelligence did the rest.

At the center of this operation sits CyberStrikeAI, an AI-native offensive security tool built in Go and published on GitHub by a Chinese developer operating under the alias Ed1s0nZ. Integrating over 100 security tools, generative AI services from both Anthropic Claude and DeepSeek, and a full orchestration engine, CyberStrikeAI represents a new category of threat: an AI-augmented attack assembly line capable of scaling complex intrusion campaigns far beyond the skill level of the operator behind them.

Initially disclosed by the threat intelligence division at Amazon in February 2026, the campaign traced its scanning origin to the IP address 212.11.64[.]250. Team Cymru subsequently tracked CyberStrikeAI deployment across 21 unique IP addresses, revealing a sharp acceleration in adoption among Chinese-speaking threat actors — and direct ties between the developer and organizations linked to China’s Ministry of State Security.

Cyberwarzone has conducted an independent analysis of all available intelligence, combining primary reporting from multiple sources to deliver a comprehensive threat intelligence briefing on CyberStrikeAI, its developer, the FortiGate campaign, and the broader implications of AI-powered offensive tooling.

What Is CyberStrikeAI

Billed as “an AI-native security testing platform built in Go,” this tool was created by developer Ed1s0nZ and published on GitHub. According to its repository, the platform integrates over 100 security tools into a unified orchestration framework designed for automated vulnerability discovery, attack-chain analysis, result visualization, and knowledge retrieval.

Core capabilities advertised on the repository include:

• Intelligent orchestration engine — automated coordination of scanning, exploitation, and post-exploitation workflows
• Role-based testing — predefined security roles that guide the platform’s behavior during engagements
• Skills system — specialized testing modules for specific attack types
• Lifecycle management — comprehensive tracking from reconnaissance through exploitation and reporting
• Generative AI integration — leverages commercial AI services (Anthropic Claude and DeepSeek) for attack planning, code generation, and vulnerability assessment

Equipped with its own web-based dashboard, the platform enables operators to monitor active campaigns, review scan results, and manage multiple concurrent attack engagements from a single interface. Team Cymru identified it by its distinctive port banner visible in open port scan data.

Beyond a Penetration Testing Framework

While the repository frames CyberStrikeAI as a “security testing platform,” the integration of generative AI services for attack plan generation, combined with the developer’s other repositories — which include ransomware tooling and jailbreak techniques for AI safety filters — positions it firmly in the category of offensive security tools with clear dual-use potential. When deployed by threat actors with malicious intent, the platform effectively becomes an AI-powered attack automation engine.

Ed1s0nZ first committed the tool to GitHub on November 8, 2025. Initial adoption was minimal. However, the rapid emergence of 21 unique IP addresses running the platform between January 20 and February 26, 2026 — a span of just 37 days — indicates that awareness and operational deployment accelerated sharply in early 2026, likely catalyzed by its exposure through Knownsec 404’s Starlink Project and the broader Chinese offensive security community.

FortiGate Campaign — 600+ Devices Across 55 Countries

The primary campaign was disclosed on February 21, 2026, by the threat intelligence team at Amazon. A Russian-speaking, financially motivated threat actor used CyberStrikeAI to conduct mass scanning and exploitation of Fortinet FortiGate appliances exposed to the internet. Over approximately five weeks — January 11 to February 18, 2026 — the actor compromised more than 600 devices across 55 countries.

No Vulnerabilities Required

Critically, no exploitation of FortiGate vulnerabilities was observed. CJ Moses, Chief Information Security Officer at Amazon, stated explicitly: “This campaign succeeded by exploiting exposed management ports and weak credentials with single-factor authentication, fundamental security gaps that AI helped an unsophisticated actor exploit at scale.”

Scanning activity originated from the IP address 212.11.64[.]250, a server hosted in Switzerland on the SWISSNETWORK02 autonomous system. Targeted ports included 443, 8443, 10443, and 4443. Authentication attempts used commonly reused credentials, and the campaign was entirely sector-agnostic, confirming automated mass scanning.

Post-Exploitation Chain

Once FortiGate appliances were breached, the attacker extracted full device configurations, yielding credentials, network topology information, and VPN access parameters. From there, a structured post-exploitation sequence unfolded:

• VPN network access — stolen SSL-VPN credentials enabled lateral movement into victim internal networks
• Custom reconnaissance tooling — deployed in both Go and Python variants, exhibiting clear indicators of AI-assisted development including redundant comments, simplistic architecture, and naive JSON parsing
• Domain compromise — DCSync attacks to extract complete Active Directory credential databases
• Lateral movement — pass-the-hash, pass-the-ticket, NTLM relay attacks, and remote command execution on Windows hosts
• Backup infrastructure targeting — Veeam Backup and Replication servers were specifically targeted with credential harvesting tools exploiting CVE-2023-27532 and CVE-2024-40711

The full operation was described as an “AI-powered assembly line for cybercrime,” with publicly accessible attacker infrastructure hosting AI-generated attack plans, stolen victim configurations, and source code for custom tooling.

Geographic Distribution of Compromise

Compromised FortiGate clusters were detected across South Asia, Latin America, the Caribbean, West Africa, Northern Europe, and Southeast Asia. Multiple devices belonging to the same organization were frequently compromised together, confirming organizational-level breach rather than individual device targeting.

Repeated failures were documented in the actor’s own notes when anything beyond the most straightforward automated attack paths was attempted — hardened environments were simply abandoned in favor of softer victims. A clear indicator of limited technical skill compensated by AI augmentation.

AI Integration in the Kill Chain

What distinguishes this campaign from conventional mass scanning operations is the deep integration of large language models at every stage of the attack lifecycle. Separate analysis by Cyber and Ramen confirmed that the threat actor leveraged two distinct generative AI services — DeepSeek and Anthropic Claude — for different operational functions.

DeepSeek for Attack Planning

DeepSeek was used to generate structured attack plans from reconnaissance data. After scanning targets and collecting configuration information, the operator fed results into DeepSeek to produce prioritized exploitation strategies. For a threat actor with limited technical depth, this effectively replaced the need for experienced human analysts.

Anthropic Claude for Vulnerability Assessment and Code Execution

Claude’s coding agent produced vulnerability assessments during active intrusions and was configured to execute offensive tools directly on victim systems. Rather than treating AI as an advisory layer, the operator integrated Claude as an active participant in the exploitation chain — a significant escalation in how generative AI is being weaponized.

ARXON — The Custom MCP Server

Analysis of the attacker’s exposed server (212.11.64[.]250) revealed a previously unreported custom Model Context Protocol (MCP) server named ARXON. According to Cyber and Ramen’s investigation, ARXON served as a bridge between the language models and the operational infrastructure:

• Processing scan results and reconnaissance data automatically
• Invoking DeepSeek to generate structured attack plans
• Leveraging scripts to modify victim infrastructure during active intrusions
• Maintaining a growing knowledge base that improved attack planning with each successive target

A second custom tool, a Go-based orchestrator called CHECKER2, handled parallel VPN scanning and target processing, enabling the operator to manage simultaneous intrusions across multiple countries from a single workstation.

Exposed Infrastructure Contents

Server 212.11.64[.]250 hosted over 1,400 files across 139 subdirectories. Contents included CVE exploit code, FortiGate configuration files, Nuclei scanning templates, Veeam credential extraction tools, BloodHound collection data, and AI-generated operational plans. A prior exposure of the same server in December 2025 revealed it had previously hosted HexStrike AI, another offensive AI framework.

As the Cyber and Ramen researcher noted: “What sets this activity apart is the integration of LLMs: a likely single operator managing simultaneous intrusions across multiple countries with analytical support at every stage. Language models only assisted a low-to-average skilled actor in removing the number of targets one person can work at any given time.”

Ed1s0nZ — Developer Profile and Chinese State Ties

Behind CyberStrikeAI stands a single developer operating under the GitHub alias Ed1s0nZ. Team Cymru’s research into this individual reveals a profile consistent with a technically skilled Chinese national with documented connections to organizations that support China’s state-sponsored cyber operations.

Offensive Tool Portfolio

Beyond CyberStrikeAI, Ed1s0nZ maintains several other GitHub repositories that collectively paint a picture of an individual deeply invested in offensive cyber capabilities:

• banana_blackmail — ransomware tooling
• PrivHunterAI — uses passive proxy and mainstream AI engines (Kimi, DeepSeek, GPT) to detect privilege escalation vulnerabilities
• ChatGPTJailbreak — techniques for bypassing AI safety filters
• InfiltrateX — automated privilege escalation scanning tool
• VigilantEye — surveillance-oriented tooling
• watermark-tool — steganographic invisible document watermarking for covert tracking of leaked documents

Taken together, these repositories represent a comprehensive offensive toolkit spanning initial access, privilege escalation, persistence, AI jailbreaking, ransomware deployment, and operational security — capabilities that extend well beyond legitimate security research.

Knownsec 404 Connection

On December 19, 2025, Ed1s0nZ posted CyberStrikeAI to the Knownsec 404 Starlink Project on GitHub. Knownsec is a Chinese cybersecurity company that, according to published reporting by DomainTools and others, performs contract work for both the Chinese Ministry of State Security (MSS) and the People’s Liberation Army (PLA). Knownsec was among the firms implicated in a major leak of over 12,000 internal documents exposing China’s contractor-driven cyber espionage ecosystem.

Submitting CyberStrikeAI to Knownsec 404’s curated project directory represents a deliberate effort to gain visibility within the Chinese state-adjacent offensive security community.

CNNVD Award — Added Then Scrubbed

On January 5, 2026, Ed1s0nZ added a credential to their GitHub profile: the CNNVD 2024 Vulnerability Reward Program Level 2 Contribution Award. CNNVD is operated by CNITSEC, which falls under MSS oversight. Researchers at BitSight have documented how CNNVD’s vulnerability reward program functions as a vehicle for the CCP to collect zero-day vulnerabilities before public disclosure.

Team Cymru observed that Ed1s0nZ subsequently removed the CNNVD reference from their GitHub profile — an apparent effort to scrub evidence of ties to MSS-affiliated organizations. Git commit records, however, preserved both the addition and the removal.

Attribution Assessment

While Ed1s0nZ developed CyberStrikeAI, the primary FortiGate campaign operator identified by Amazon was assessed as a Russian-speaking, financially motivated threat actor — not a Chinese state-sponsored group. CyberStrikeAI, as an open-source tool, is available to any actor regardless of nationality or affiliation. Team Cymru’s assessment that Chinese state-sponsored APTs may leverage the platform in the future remains a forward-looking intelligence judgment rather than a confirmed attribution.

Infrastructure Analysis — 21 Servers Across Six Countries

Team Cymru’s Pure Signal Scout platform identified 21 unique IP addresses running CyberStrikeAI between January 20 and February 26, 2026. Geographic hosting patterns and autonomous system data reveal a deployment footprint concentrated in Chinese-speaking regions, with secondary presence in Western hosting providers.

Hosting Distribution by Country

Servers were distributed across six countries:

• China — highest concentration, hosted on Tencent, Alibaba, Huawei Cloud, and China Telecom infrastructure
• Singapore — second highest, leveraging Scloud, DigitalOcean, Alibaba, Tencent, and Contabo data centers
• Hong Kong — presence on LUCIDACLOUD and COGNETCLOUD autonomous systems
• United States — deployed on MULTACOM, PLAY2GO, and LUCIDACLOUD infrastructure
• Japan — single server on Vultr hosting
• Switzerland — the primary campaign server (212.11.64[.]250) hosted on SWISSNETWORK02

Cloud Provider Patterns

Notable hosting patterns include heavy reliance on major Chinese cloud providers — Tencent Computer Systems appeared across four separate IP addresses, while Alibaba infrastructure hosted three. Huawei Cloud and China Telecom each hosted one server. Western providers including DigitalOcean, Vultr, and Contabo were used for servers positioned in Singapore and Japan, suggesting operators deliberately placed infrastructure in Asian data centers of Western providers to achieve both geographic proximity to targets and hosting diversity.

Temporal Deployment Analysis

Deployment timing reveals a clear acceleration pattern. Early servers appeared in late January 2026, with a sustained ramp through February. By the final assessment date of February 26, multiple new servers were being stood up daily — with five unique IPs observed on that single date alone.

Because CyberStrikeAI exposes a distinctive port banner, defenders and threat intelligence teams can leverage network scanning data to track new deployments. However, operators may begin modifying or suppressing this banner as awareness of the tracking methodology spreads — underscoring the importance of acting on current intelligence before the detection window narrows.

MITRE ATT&CK Mapping

Based on combined reporting from Amazon Threat Intelligence, Team Cymru, and Cyber and Ramen, the CyberStrikeAI-enabled FortiGate campaign maps to the following techniques:

Reconnaissance

• T1595.002 — Active Scanning: Vulnerability Scanning — Automated mass scanning of FortiGate management interfaces
• T1592 — Gather Victim Host Information — Extraction of full device configurations post-compromise

Initial Access

• T1078 — Valid Accounts — Authentication using commonly reused credentials
• T1133 — External Remote Services — Exploitation of internet-facing FortiGate management ports and SSL-VPN services

Execution

• T1059 — Command and Scripting Interpreter — AI-generated scripts executed on victim systems via Claude coding agent
• T1106 — Native API — ARXON MCP server invoking AI services via API calls

Credential Access

• T1003.006 — OS Credential Dumping: DCSync — AD credential extraction
• T1555 — Credentials from Password Stores — Veeam credential harvesting exploiting CVE-2023-27532 and CVE-2024-40711

Lateral Movement

• T1550.002 — Use Alternate Authentication Material: Pass the Hash
• T1550.003 — Use Alternate Authentication Material: Pass the Ticket
• T1557 — Adversary-in-the-Middle — NTLM relay attacks

Discovery

• T1482 — Domain Trust Discovery — BloodHound collection data on attacker infrastructure
• T1018 — Remote System Discovery — Network topology mapping from stolen FortiGate configurations

Command and Control

• T1071.001 — Application Layer Protocol: Web Protocols — ARXON MCP server communicating with DeepSeek and Claude via HTTPS APIs
• T1102 — Web Service — Commercial AI services used as operational infrastructure

Impact

• T1486 — Data Encrypted for Impact — Assessment based on targeting of backup infrastructure and credential harvesting consistent with ransomware preparation (pre-deployment stage observed)

Defensive Recommendations

Organizations running Fortinet FortiGate appliances — or any internet-facing network infrastructure — should immediately evaluate their exposure against the attack patterns documented in this campaign.

Immediate Actions

• Disable exposed management interfaces — FortiGate management ports (443, 8443, 10443, 4443) should never be accessible from the public internet
• Rotate all credentials — change default and commonly reused credentials on FortiGate appliances immediately and rotate SSL-VPN user credentials
• Enforce multi-factor authentication — implement MFA for all administrative access and VPN connections
• Audit for unauthorized accounts — review configurations for unauthorized administrative accounts or suspicious connection patterns

Network and Infrastructure Hardening

• Isolate backup infrastructure — Veeam and other backup servers should be segmented from general network access
• Patch perimeter devices — ensure all FortiGate appliances and edge devices are running current firmware
• Network segmentation — limit blast radius by segmenting networks to prevent cascading compromises
• Monitor for CyberStrikeAI port banners — scan for CyberStrikeAI banners in network telemetry and proactively block known server IPs

Detection and Monitoring

• Monitor for DCSync activity — alert on replication requests from non-domain-controller sources
• Detect BloodHound collection — watch for LDAP enumeration patterns consistent with AD reconnaissance
• Track Veeam exploitation attempts — monitor for CVE-2023-27532 and CVE-2024-40711 exploitation on backup infrastructure
• Block known infrastructure — implement IOC-based blocking for all IP addresses listed in this report

Moses emphasized: “Strong defensive fundamentals remain the most effective countermeasure: patch management for perimeter devices, credential hygiene, network segmentation, and robust detection for post-exploitation indicators.”

Indicators of Compromise

All IP addresses below were observed running CyberStrikeAI servers between January 20 and February 26, 2026, as documented by Team Cymru. Organizations should block these indicators and search historical logs for connections to these addresses.

CyberStrikeAI Server IP Addresses

Associated GitHub Artifacts

• CyberStrikeAI repository: github[.]com/Ed1s0nZ/CyberStrikeAI
• Ed1s0nZ profile: github[.]com/Ed1s0nZ
• Knownsec 404 submission: github[.]com/knownsec/404StarLink/issues/190

Custom Tooling Identifiers

• ARXON — custom MCP server for AI-driven attack orchestration
• CHECKER2 — Go-based parallel VPN scanning orchestrator
• HexStrike AI — predecessor offensive AI framework

Targeted Ports

• TCP 443, 8443, 10443, 4443 (FortiGate management interfaces)

Strategic Assessment — AI-Augmented Offensive Operations Are Here

CyberStrikeAI is not the first AI-powered offensive tool, nor will it be the last. But several characteristics make it strategically significant for the threat landscape in 2026 and beyond.

Lowered Barrier to Entry

According to the published assessment, the FortiGate campaign operator had “limited technical capabilities” — constraints they overcame entirely through AI augmentation. A single individual achieved an operational scale that would have previously required a significantly larger and more skilled team.

Proliferation Risk

CyberStrikeAI is freely available on GitHub. Combined with the developer’s outreach to the Chinese offensive security community through Knownsec 404, and integration of widely available commercial AI APIs, the proliferation risk is immediate. Team Cymru noted the sharp user ramp from zero to 21 active servers in just over one month.

State-Sponsored Adoption

Ed1s0nZ’s connections to Knownsec (MSS contractor) and CNNVD (MSS-overseen) create a credible pathway for Chinese APT groups to incorporate CyberStrikeAI into their operations. Team Cymru assessed a “high likelihood” of such adoption — merging AI-native automation with state-sponsored resources and persistence.

Dual AI Weaponization

Using both DeepSeek (Chinese AI) and Anthropic Claude (Western AI) in the same attack chain demonstrates that threat actors treat commercial AI services as modular operational infrastructure — selecting services based on capability rather than jurisdiction. Defenders and AI providers must contend with this reality.

Moses concluded: “As we expect this trend to continue in 2026, organizations should anticipate that AI-augmented threat activity will continue to grow in volume from both skilled and unskilled adversaries.”

Sources and Further Reading

• Team Cymru — Will Thomas, “Tracking CyberStrikeAI Usage,” March 2026. team-cymru.com
• The Hacker News — “Open-Source CyberStrikeAI Deployed in Mass FortiGate Campaign,” March 3, 2026. thehackernews.com
• Amazon Threat Intelligence — “AI-Augmented Threat Actor Accesses FortiGate Devices at Scale,” February 21, 2026. aws.amazon.com
• The Hacker News — “AI-Assisted Threat Actor Compromises 600+ FortiGate Devices in 55 Countries,” February 21, 2026. thehackernews.com
• Cyber and Ramen — “LLMs in the Kill Chain: Inside a Custom MCP Targeting FortiGate Devices,” February 2026. cyberandramen.net
• DomainTools — “The Knownsec Leak.” domaintools.com
• BitSight — “Chinese Vulnerability Database Analysis.” bitsight.com
• GitHub — Ed1s0nZ CyberStrikeAI Repository. github.com/Ed1s0nZ/CyberStrikeAI
• MITRE ATT&CK — Enterprise ATT&CK Matrix. attack.mitre.org