Global Targets & Secret Tools: Massive Leak Exposes China’s Knownsec Cyber-Intelligence

Hackers have released what appears to be the largest data breach in the history of Chinese cybersecurity — exfiltrating archives from Knownsec, a firm closely tied to state structures in the People’s Republic of China. The published trove, comprising over 12,000 classified documents, exposes the inner workings of a national cyber-intelligence program: bespoke attack tools, operational playbooks, and global target lists spanning more than twenty countries. The disclosure has provoked a storm of interest among international experts, because it is the first time a leak of this scale has so thoroughly revealed the inner contours of China’s network-operations ecosystem.

The leak was first noticed on 2 November 2025, when files appeared on GitHub; although platform administrators later removed the material for violating terms of service, duplicates had already proliferated across research forums and private repositories used by security analysts. The documents include internal reports, source code for specialized tooling, and spreadsheets that detail Knownsec’s interactions with Chinese government entities. Among the materials are descriptions of network operations against foreign targets, internal credentials, and billing records — all of which point to the attackers’ access to Knownsec’s corporate infrastructure.

Founded in 2007 and backed by a major investment from Tencent in 2015, Knownsec employed over 900 people and operated regional offices across China prior to the incident. The company is recognised as one of China’s pioneers in cloud-based monitoring and distributed defence, counting financial institutions, government agencies, and large internet platforms among its clients. That pedigree makes the leak particularly consequential: the breach strikes not only a single contractor, but also the broader model of private-sector engagement in state cyber-intelligence projects.

Far from commercial collateral, the leaked archives reveal strategic infrastructure. The most striking elements are spreadsheets cataloguing global targets: facilities in Japan, Vietnam, India, Indonesia, Nigeria, the United Kingdom, and others. One table lists 80 overseas targets said to have been successfully compromised. Examples cited include 95 GB of migration data exfiltrated from India, 3 TB of phone records from South Korea’s LG U+, and 459 GB of roadway documentation obtained from Taiwan. Collectively, these artifacts depict an intimate linkage between Knownsec and operations aimed at intelligence collection beyond China’s borders.

Alongside target data, the archives contain technical descriptions of offensive tooling. The company allegedly maintained suites of multi-functional Remote Access Trojans (RATs) tailored for intrusion on Linux, Windows, macOS, iOS, and Android. Of particular note is an Android component capable of harvesting message histories from Chinese messaging apps and Telegram. The dump also references bespoke hardware used in field operations — for example, a modified power bank that silently uploads data to an operator server when connected to a victim’s computer. These disclosures suggest Knownsec’s role encompassed not only analysis but also practical, operational tradecraft.

The leak further confirms the existence of an in-house mail-intelligence system, Un-Mail, designed to extract and analyze correspondence. Accompanying materials reference internal HR systems, financial transaction reports, and project schematics documenting collaboration with various branches of China’s security apparatus. For researchers, these artifacts constitute direct evidence supporting the hypothesis that several well-known Chinese cybersecurity vendors perform state tasks within the cyber-operations domain.

A spokesperson for China’s Ministry of Foreign Affairs told Mrxn that they had no knowledge of any data leakage from Knownsec and reiterated that China opposes all forms of cyberattack. The statement is evasive and leaves room for interpretation; it neither refutes nor addresses the possibility of private contractors acting under state direction. In the current geopolitical climate, such phrasing is typically read as positioning: cyber operations are framed as instruments of national security rather than offenses warranting public scrutiny.

Analysts note that this breach may rank as the most consequential exposure of China’s internal cyber-operations architecture in recent years, outstripping prior publications about APT infrastructures in scale and sensitivity. International researchers are already poring over the archives to refine understanding of the attack techniques and to map overlaps with known campaigns that targeted infrastructure across Asia and Europe. Should the authenticity of the files be confirmed, the incident could transform prevailing assumptions about how China organizes and governs its state cyber-intelligence apparatus.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy