The Prototype: A.I. driven cyber offense

A rare find on the "China Net" provides an exclusive look into the future of Chinese offensive cyber operations. Meet "The Prototype": a conceptual AI cyber offensive tool from China.

The increasing use of AI in hacking operations and cyber offense is neither surprising nor unnoticed by cybersecurity firms. China, in particular, is aggressively advancing AI across all sectors and is well-positioned to dominate many of them. While we are still in the early stages of this evolution, I invite you to come with me and see how deep the rabbit hole goes.

But first a little bit of background. Some time ago, I stumbled upon a massive data dump pulled from Censys, exposing 2.3 TB of CloudFront web infrastructure in the United States. You can find my take on this rather unusual find here.

Tracing the breadcrumbs back to the database’s origin, I discovered an intriguing web application. Though the Elastic Search database itself had been taken down, in its place runs an NGINX server hosting a web dashboard powered by vue.js—hinting at something even more interesting beneath the surface.

vue.js based dashboard of the “The Prototype”.

At first glance, it's quite an extensive amount of information—valuable information, at that. The system identifies itself as an "IoT Detection Prototype." While it is presented in a rather appealing manner to the end-user.

But first, why an outward looking “Internet of Things” ( IoT ) scanner !? Well, a lot of our digital world including our electricity grids, Internet Services, Mobile networks and other services rely on little, low key devices that might not have the performance of an iPhone 16 but do a limited set of tasks reliably well and can be online 24/7. It makes sense to go for such devices first if you want to get into digital infrastructure on a national level.

Naturally, vulnerabilities in these devices present a lucrative opportunity for hackers and state-backed actors, granting them “hopefully” access to critical digital infrastructure —whether corporate or governmental. And that, it seems, is precisely what this prototype is designed to exploit.

Let’s dive deeper—there’s much more to uncover.

One of the first things that stands out is the graphical element in the top left corner. Some form of a device-counter, it differentiates between "overseas equipment" ( orange ) and "total equipment" ( blue ), implying a clear distinction between domestic and foreign IoT devices. The prototype appears to be primarily focused on those outside of China.

The "carousel" on the right displays a live feed of detected IoT devices, including their Internet Service Provider (ISP), IP address, and precise geographical coordinates (latitude and longitude). The designers of this system seem particularly interested in pinpointing the exact location of these devices—at least as accurately as possible.

Upon closer inspection, the nature of these devices suggests that they belong to ISPs operating outside of China. The implication? This prototype appears to be mapping and potentially targeting foreign internet communication infrastructure.

Looking further, we quickly notice another window that lists common IoT communication protocols, such as Modbus and DNP3. Based on the dashboard labeling, the system appears to be scanning for vulnerabilities within these protocols and stores those devices. How it determines those vulnerabilities is unknown at this point.

List of common IoT protocols found on scanned devices, with vulnerability indicator.

To the right from the protocol part, we find a general distribution of identified devices, and what immediately stands out is the high concentration of devices based in Taiwan in the sample dataset that the dashboard is visualizing ( slightly less than a half ). There are also some in the U.S., Europe, and even Mainland China, but overall, this prototype seems particularly focused on demonstrating its ability to locate vulnerable IoT devices in Taiwan.

A key question arises: Is this dashboard providing a real-time view into an active system collecting live data, or is it merely a static demonstration, replaying pre-compiled data from a fixed dataset? Some of the data displays are animated and at times even change the count. Could it be actually a working prototype ?

Managing expectations

Analyzing its network activity from the browser, the dashboard appears to load all visualizations only once at startup via an API call to the server, using the Vue.js framework. This is somewhat underwhelming. Sending a simple HTTP GET request to the API easily retrieves the full dataset for the Carousel window.

However, checking the listed IP addresses reveals that many of these devices are indeed active IoT devices—not just placeholders. Judging by the amount of data most of it seems to originate from commercial web-scrapers like Shodan, Censys etc. So while this isn’t a purely fabricated dataset, it still feels a little disappointing as it doesn’t seem to show a functioning real-life prototype ( yet ).

Resizing the browser window and testing Vue.js’s redraw behavior reveals additional hidden menu items in the background though. Whether this is intentional or just poor UI formatting is unclear. Regardless, clicking around eventually leads us into a more detailed, menu-driven setup—one that contains a wealth of additional information

The “hidden” back end control panel.

The system appears to be a blend of back-end management and a presentation outlining how this prototype is designed to function. You can upload some IP lists via a text file that the system will scan for you then ( see image below ) and it seems to work.

The first notable element is a detailed chart illustrating the logical flow of information—how the prototype retrieves data from IoT devices and processes it. This is particularly intriguing as it is quite detailed.

General functionality chart.

What stands out even more is the first mention of Machine Learning within this workflow. The chart outlines how a learning model is built to identify targets and ultimately reach a decision. While the exact nature of that “decision” remains unclear, it strongly suggests that the system is designed to assess whether a given target is viable for an attack. Maybe even makes this decision itself at some point to expand on the identified attack surface.

Not just window shopping: breaking and entering

Another slide illustrates how the system expands its target list after successfully breaching a device. Subnet discovery and network mapping appear to be an integral part of the prototype. While this isn't entirely unexpected for such tools, it’s still intriguing to see how lateral flow is part of the overall concept. The tool is not just meant for scanning from the outside, but the plan seems to be to penetrate target infrastructure and dig deeper, identifying more vulnerable devices as it moves along.

A brief observation:

• If the binary probing mechanism dynamically adapts based on network responses, it could be more efficient than brute-force scanning.

• The structured subnet partitioning + topology generation might provide a more automated and scalable way to discover subnets.

• The integration of hidden router discovery and subnet mapping in a single process could improve accuracy and efficiency.

Finding subnets and other devices while inside the network hosting the IoT device.

The next slide outlines a sophisticated method for pinpointing the physical location of an IoT device using landmark devices—likely an attempt to achieve a more precise and granular position. It is not a novel approach, but it is interseting to see it in this context.

Fine tuning of IoT geo location via “landmark” devices and router hops.

One slide references a confusion matrix—a common Machine Learning ( ML ) technique used to evaluate model performance by comparing predictions to actual results. This method helps assess how well the model performs tasks like information classification.

It illustrates this concept applied to the detection of IoT traffic within a broader network dataflow.

Confusion matrix.

Whoever designed this prototype clearly wanted this software to be quite versatile and data hungry. A chart outlining a potential data storage structure suggests the system could store up to 1 petabyte—that’s 1,024 terabytes, an enormous and costly amount of storage.

Distributed backend database structure.

The menu also includes several backend management functions, or at least demonstrations of them. Beyond interfaces for querying what appears to be a massive backend database (the hypothetical 1PB repository), there’s also a more detailed information panel on the vulnerable devices the prototype has identified. However, once again, this data doesn’t appear to be generated dynamically. Instead, it loops through a hardcoded dataset, fetched via an API call to /api/v1/device_fingerprints/ when the page loads.

More extensive list of info on IoT devices identified with vulnerabilities.

UPDATE ( 29th of March 2025 )

Looks like that there was a hidden “info” panel, that I found only after inspecting the Javascript code that is executing on opening the web dashboard. And it pretty much confirms my conclusion. But take a look for yourself:

and here...

Conclusion

What exactly are we looking at here? This is a tool designed for offensive cyber operations. Given its primary focus on non-Chinese IoT devices, it’s unlikely to be intended for routine red-team penetration testing. The nature of the information, combined with its strong emphasis on Taiwanese targets, suggests a more strategic—potentially nefarious—intent.

From what I can decipher ( and what the “info” panel describes ), the theory behind the system is conceptually sophisticated enough to not just be some “weekend-project”. The integration of machine learning, the use of advanced geolocation techniques, and the ability to measure network-based travel distances between devices all indicate that this is far beyond a simple hobby exercise ( although, some people do have extreme hobbies ).

After consulting with professional cybersecurity experts, the general consensus is that most likely this is a prototype developed as part of a high-level university research project—it resembles as a proof-of-concept. Maybe we soon will see it in action, maybe it already is operational in some way. Still a lot of questions are unanswered.

Regardless of its origins, one thing is clear: Chinese offensive cyber operations are rapidly evolving. The focus of IoT devices for critical infrastructure, incorporating machine learning and other advanced techniques into their tools suggests a future where these capabilities will play a significant role in cyber warfare and intelligence gathering. China wants to be tip of the spear.