Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory

hexstrike_ai

Also known ashexstrike_ai

HexStrike AI is described in the provided content as an open-source MCP server, now packaged in Kali Linux, that enables an AI agent to autonomously drive more than 150 offensive security tools. In Zenity’s March 2026 observations, an operator pointed a desktop LLM client at an exposed Ollama instance and sent the full HexStrike AI toolset to the backend, apparently using the exposed inference service as anonymous compute for offensive AI operations rather than exploiting a software vulnerability. The observed HexStrike AI request defined roughly 150 tools under the mcp__hexstrike__ namespace, including capabilities associated with nmap, nuclei, sqlmap, Metasploit, hydra, kube-hunter, prowler, pacu, file creation and modification, payload generation, and arbitrary Python execution. Before sending the full toolset, the same source enumerated the server’s installed models. Zenity assessed this activity as staging or capability testing rather than a live operation against a named target. The broader reporting groups HexStrike AI with autonomous penetration-testing frameworks observed abusing exposed Ollama and LiteLLM endpoints that lacked authentication or were weakly protected. No additional aliases or sub-groups are directly supported by the content.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.