In early November 2025, a massive data breach at Knownsec, a prominent Chinese cybersecurity firm with government connections, exposed over 12,000 classified documents revealing the company’s role in state-sponsored cyber operations. The leak, first reported by Chinese security blogger MXRN, provides an unprecedented look into the offensive cyber capabilities, targeting strategies, and successful espionage operations conducted by what appears to be a commercial cybersecurity vendor operating as an extension of Chinese intelligence services.
Who is KnownSec?#
Founded in August 2007, Knownsec (北京知道创宇信息技术股份有限公司) emerged as a pioneer in cloud-based security monitoring and defense within China’s cybersecurity ecosystem. The Beijing-based company received substantial strategic investment from tech giant Tencent in 2015 and grew to employ over 900 personnel across multiple Chinese offices.
KnownSec holds high-level status within Chinese cybersecurity infrastructure, designated as a “first-class” (甲级) CNCERT emergency service support unit for 2024-2025, having previously been classified as a “national-level” unit from 2021-2023. This official recognition indicates deep integration with China’s government cybersecurity apparatus.
The Breach Discovery#
The leaked materials, originally from a 2023 dataset, were briefly uploaded to GitHub in early November 2025 before being removed for platform policy violations. According to NetAskari’s analysis, the full dataset subsequently migrated to darknet markets where it is being sold commercially. An ImgBB album containing 63 screenshots from the leaked materials has circulated among security researchers.
While reports suggest the leak “didn’t hold any extreme sensitive information,” the exposed documentation reveals KnownSec’s extensive product offerings to Chinese security agencies and the scope of their offensive cyber operations.
The Offensive Arsenal#
The leaked documents expose a comprehensive suite of offensive capabilities that KnownSec developed and deployed:
GhostX Framework#
The crown jewel of the leaked materials is the GhostX attack suite, featuring “Un-Mail,” described as an email interception and exploitation platform. This tool uses XSS techniques to harvest login credentials across multiple email providers including Gmail, Yahoo, and Chinese services. The framework represents a turnkey solution for credential theft and email surveillance.
Remote Access Trojans (RATs)#
The leak revealed multi-platform RAT capabilities targeting Linux, Windows, macOS, iOS, and Android systems. A Windows Trojan module documented in the materials supports keylogging, screen capture, and command execution, reportedly designed to “bypass major Chinese antivirus programs.” Android malware code was specifically designed to extract message histories from Chinese chat applications including WeChat and QQ, as well as Telegram.
Network Exploitation Tools#
Documentation detailed WiFi intrusion methods including MITM attacks, ARP spoofing, and exploitation of the KRACK vulnerability (a 2017-era WPA2 weakness). While not cutting-edge techniques, their inclusion demonstrates systematic capability development for multiple attack vectors.
ZoomEye: Global Infrastructure Mapping#
ZoomEye, KnownSec’s network scanner similar to Shodan or Censys, claims to scan the entire IPv4 address space in just 7-10 days. Combined with their “Passive Radar” packet capture analysis tool for military asset mapping, this represents a formidable reconnaissance capability for identifying critical infrastructure globally.
Malicious Hardware#
Perhaps most concerning is documentation of physical attack tools, including compromised portable power banks designed to covertly siphon data from any connected device. These hardware implants extend cyber operations into the physical domain.
Global Targeting Scope#
The most damaging revelation came from the “key target library” document, which showed KnownSec mapped critical infrastructure across multiple nations, focusing on military, telecommunications, energy, and political systems.
The leaked structured datasets included LinkedIn profiles organized by country (“linkedin_brazil,” “linkedin_southafrica”), exposing professional contact information and occupational details suitable for intelligence targeting and social engineering operations.
Over 20 countries appeared in the targeting database, with particularly extensive listings for Taiwan and India. Other nations prominently featured included Japan, Vietnam, Indonesia, Nigeria, the United Kingdom, the United States, Australia, Canada, New Zealand, Thailand, Malaysia, the Philippines, and Pakistan.
Documented Successful Operations#
The breach exposed not just capabilities but evidence of successful espionage operations. A spreadsheet listing 80 documented overseas attacks included specific data theft operations:
- 95GB of Indian immigration data – Allegedly stolen in 2024, including border infrastructure mapping
- 3TB of call records from South Korean telecom LG U Plus – A massive telecommunications surveillance operation
- 459GB of Taiwan road planning data – Infrastructure intelligence collection
These quantified data exfiltration operations demonstrate KnownSec moved beyond capability development into active intelligence collection at scale.
Implications for Cybersecurity#
This breach illuminates the blurred boundaries between China’s commercial cybersecurity sector and state intelligence operations. As one analysis noted, this disclosure is “comparable to a major defense contractor having its classified weapon blueprints stolen and publicly sold.”
The revelation that a “trusted” cybersecurity vendor with legitimate commercial operations simultaneously develops offensive tools and maintains targeting databases raises fundamental questions about supply chain security. Organizations worldwide rely on security vendors, and the KnownSec case demonstrates how such relationships can be exploited for intelligence gathering.
The leak also exposes the systematic nature of Chinese cyber operations – from reconnaissance tools scanning the entire internet, to exploitation frameworks, to hardware implants, to documented data exfiltration at the terabyte scale. This represents a mature, industrial-scale cyber espionage capability.
China’s Official Response#
Beijing has officially denied the reports. A Foreign Ministry spokesperson stated she was unaware of any KnownSec breach, reaffirming that “China firmly opposes and combats all forms of cyberattacks in accordance with the law.” This denial follows China’s typical pattern of disavowing cyber espionage allegations despite mounting evidence.
Conclusion#
The KnownSec breach provides a rare, detailed look into the infrastructure supporting state-sponsored cyber operations. While individual tools may not represent cutting-edge technology, the systematic integration of reconnaissance, exploitation, and data exfiltration capabilities – backed by targeting databases spanning continents – reveals a sophisticated operation.
For defenders, this leak offers valuable intelligence about adversary tools, techniques, and targeting priorities. Organizations in the documented target countries, particularly those in critical infrastructure sectors, should review their security postures with the assumption that similar mapping and targeting operations may be ongoing.
The incident underscores a uncomfortable reality: the line between commercial cybersecurity services and state intelligence operations can be vanishingly thin, particularly in authoritarian regimes where government direction of private enterprise is standard practice. As research into China’s cyber ecosystem shows, “Red Hackers” and their commercial successors have long operated at this intersection.
The full scope of the KnownSec leak remains incompletely analyzed, as few researchers have accessed the complete dataset. As more details emerge, expect deeper insights into the tools, targeting, and operations conducted under the guise of legitimate cybersecurity services.
References#
Primary Sources#
- Knownsec Leak Reveals China’s Global Cyber Mapping Operations and Surveillance Tools - BotCrawl
- 知道创宇(Knownsec)大规模数据泄露 - Mrxn’s Blog
- Breaking: KnownSec - Databreach - NetAskari
- KnownSec breach: What we know so far - NetAskari
- Another leak: Knownsec - GitHub net4people/bbs Issue #541
- knownsec leaked screenshots - ImgBB Album
Additional Coverage#
- Data breach at Chinese infosec firm reveals weapons arsenal - The Register
- Data Leak Exposes Chinese State-Sponsored Cyber Arsenal and Target Database - GBHackers
- Data Breach at Chinese Cybersecurity Firm Reveals State-Backed Hacking Tools - CyberPress
- Did China access Indian immigration and border data? - WION News
- Knownsec Data Breach Exposes Chinese Cyber Weapons - BotCrawl