By rssfeeds-admin 
Developed by GitHub user Ed1s0nZ, this Go-based platform integrates over 100 security tools with an intelligent orchestration engine, role-based testing, a skills system, and a dashboard for full lifecycle management.
First published on November 8, 2025, it saw little attention until a sudden surge in usage.
Between January 20 and February 26, 2026, Team Cymru spotted 21 unique IP addresses running CyberStrikeAI, marking a sharp rise in threat actor adoption.
Amazon Threat Intelligence first flagged a key server at IP 212.11.64[.]250, linked to a campaign compromising over 600 FortiGate devices across 55 countries from January 11 to February 18.
Team Cymru’s Scout platform confirmed a CyberStrikeAI service banner on port 8080, with NetFlow data showing direct communications to FortiGate appliances. The infrastructure last ran the tool on January 30, 2026.
Developer Ties to Chinese State Actors Raise Alarms
Ed1s0nZ’s profile shows strong links to Chinese state-sponsored operations. On December 19, 2025, they submitted CyberStrikeAI to the Knownsec 404 Starlink Project, tied to China’s Ministry of State Security (MSS) and People’s Liberation Army (PLA).
On January 5, 2026, they added a CNNVD Level 2 Contribution Award overseen by MSS for collecting zero-days before deleting it, likely to obscure affiliations.
Other repos like PrivHunterAI for privilege escalation detection and InfiltrateX for scanning reinforce an exploitation focus.
Attackers used CyberStrikeAI’s AI to craft step-by-step plans, command sequences, and methods. No zero-days were needed; they hit exposed management ports and weak single-factor authentication to steal credentials.
Most servers hosted in China, Singapore, and Hong Kong match a Chinese developer base.
Fortinet users must act fast. Audit all FortiGate appliances and disable internet-exposed management interfaces. Enforce multi-factor authentication on edge devices.
Monitor NetFlow and port scans for CyberStrikeAI banners on port 8080. Block IP 212.11.64[.]250 and related infrastructure.
Harden backups to stop credential-based lateral movement. For context on similar FortiGate threats.
Team Cymru warns that accessible AI tools like this will speed up adoption by Chinese APT groups, enabling automated, massive exploits on vulnerable edges.
As AI blurs offensive tools with legitimate testing, global networks face escalating risks from state-backed automation.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Hackers Use CyberStrikeAI Tool to Breach Fortinet FortiGate Devices appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.