China's Dual Use Tech: AI
Earlier this year, China quietly released a 2025 draft of its AI Security Governance Standards. On the surface it looks like standard regulatory noise — lifecycle management, model reliability, industrial safety. But if you read closely, the real story emerges: Beijing isn't just building AI to monitor, trace, and regulate. It is building AI to empower offensive operations.
The document openly frames "empowered security" as more than defense. It describes AI for automated malware analysis, anomaly detection, phishing-email analysis, and penetration testing. It envisions AI-driven attack-defense ranges, automated exploit discovery, and large models tuned for network-traffic monitoring and threat hunting.
In other words, China is laying the foundation for AI-assisted cyber operations at scale.
If this sounds theoretical, it isn't. China's ecosystem is already blurring the line between research and operations, and one striking example is Yakit, a Chinese-developed penetration-testing platform built around the Yaklang scripting language. Officially it's a network-security automation tool — think of it like the Chinese Burp Suite and Metasploit in one. In practice, it's a dual-use offensive framework.
Adding to this, YakLang was leveraged to develop the XiaoZhi (小智) tool — essentially Yakit supercharged with AI. XiaoZhi takes the payload generation, WebShell handling, and MITM capabilities of Yakit and layers on machine learning for adaptive exploitation. Where traditional vulnerability scanning can only report the vulnerabilities it finds, XiaoZhi uses the knowledge-graph characteristics of a detected vulnerability to determine whether it can be chained and deeply exploited — pushing toward more comprehensive, automated detection. It's the embodiment of what Beijing's 2025 AI plan envisions: automated offensive security that can think and act at scale, with near-full automation.
Yakit itself already comes preloaded with payload generation, MITM features, and native support for the Behinder, Godzilla, and AntSword WebShells — all staples of Chinese APT campaigns. It lowers the barrier to real-world exploitation while maintaining plausible deniability as a legitimate red-team tool.
None of this is accidental. The CEO behind 四维创智 has roots in the Red Hacker Alliance and provincial security programs, reflecting the fluid boundary between commercial security tooling and state-aligned offensive capability. In that context, the AI governance draft feels less like compliance guidance and more like a playbook for the next phase of cyber power: automated frameworks that blend industrial AI, regulatory cover, and offensive capacity into a single ecosystem.
The company behind XiaoZhi, 四维创智, says it serves military and state clients only, and that its founder prefers selling to the state rather than the mass market — a business model tightly aligned with government and defense use. Interestingly, both the CEO of 四维创智 and the lead maintainer of the public Yakit repository share an academic background from a Chinese university long recognized as a recruitment source for MSS cybersecurity talent. While this does not imply direct involvement in operations, it highlights how China's dual-use security ecosystem often grows from academic pipelines that feed into state and commercial projects alike.
And this is just one example. China's cybersecurity ecosystem is full of companies that present as benign security vendors, but whose tools operate — or allow operation — in dual-use spaces, serving both legitimate testing and state-aligned operations under the radar. This reflects an industry pattern rather than a single company's approach.
For OSINT analysts and CTI teams, this case study — and the first China-nexus campaign already observed — is the signal: China's AI push isn't just about factories and self-driving cars. It's about industrializing cyber operations, reducing the gap between vulnerability discovery and exploitation, and letting algorithms do the heavy lifting in the field. Our assessment is that Yakit and its derivatives will likely appear more frequently in China-nexus intrusion activity going forward. As dual-use tools like Yakit and XiaoZhi mature, their automation, WebShell handling, and adaptive-exploitation capabilities make them attractive for both sanctioned red teams and unsanctioned threat actors within the same ecosystem.
This research is original work of EPCYBER. As above, it's an independent assessment provided to illustrate the evolving landscape of AI-driven security tooling, and does not make formal attributions.