KnownSec Data Breach Exposes Chinese Cyber Tools and Global Target Lists
Chinese cybersecurity firm KnownSec suffered a significant data breach, resulting in the leak of over 12,000 internal documents. The files, briefly posted on GitHub before removal, reportedly include details on KnownSec's contracts with Chinese government and military entities, internal hacking tools, and a spreadsheet listing 80 overseas targets. Analysis of the leaked data suggests the presence of remote access trojans (RATs) capable of compromising Linux, Windows, macOS, iOS, and Android systems, with some tools able to extract data from popular messaging apps such as Telegram and Chinese platforms. The breach also exposed large datasets, including 95GB of Indian immigration data, 3TB of call records from South Korea's LG U Plus, and 459GB of Taiwanese road planning data.
Security researchers and analysts have described the leak as an intelligence gold mine, providing rare insight into the operations of a major Chinese cyber contractor. While the exact motivation behind the leak remains unclear—whether it was the act of a disgruntled insider or an external hack-and-dump operation—the incident highlights the scale and scope of KnownSec's cyber activities, including its role in mapping foreign digital infrastructure and developing tools for state-sponsored operations. The exposure of these documents is likely to have significant implications for both Chinese cyber operations and the security of the affected international targets.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Reports detail leaked KnownSec cyber tools, contracts, and target lists
Subsequent reporting said the leaked files exposed KnownSec's alleged Chinese government contracts, internally developed offensive tooling, and a broad target list covering organizations in multiple countries. Analysts also noted the newest leaked files appeared to date to 2023, suggesting the material was not current.
KnownSec internal documents are leaked online via GitHub
More than 12,000 internal documents from Chinese security firm KnownSec were briefly posted to GitHub by an unknown individual before being removed. Reporting said the source of the leak was unclear, with analysts considering either an insider leak or a hack-and-dump operation.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Chinese Tech Firm Leak Reportedly Exposes State Linked Hacking
hackread.com
Open sourceRisky Bulletin: Another Chinese security firm has its data leaked
news.risky.biz
Open sourceData breach at Chinese infosec firm reveals cyber-weapons and target list
go.theregister.com
Open sourceData breach at Chinese infosec firm reveals cyber-weapons and target list
theregister.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Alleged Leak of Chinese Military-Linked Data and Knownsec Cyber Operations Documents
A broad exposure of **Chinese state-linked sensitive data** resurfaced across underground and open reporting, combining claims of a massive leak from the **National Super Computer Center in Tianjin** with renewed circulation of previously stolen **Knownsec** corporate documents. One report described a threat actor using the name `airborneshark1` and the alias **Flaming China** to advertise an alleged **10 PB** dataset purportedly taken from the NSCC, a government-owned high-performance computing environment used by academic institutions, state-owned enterprises, and military-affiliated research partners. The available sample data was assessed by the source as likely genuine, although the full scale of the claimed exfiltration remains unverified and may imply prolonged access or insider assistance if authentic. Separately, a partial re-release of the **Knownsec** leak revived reporting on more than **12,000 classified documents** allegedly exposing the internal capabilities of a major Chinese cybersecurity firm tied to government and military work. The leaked material reportedly included multi-platform **RATs**, Android malware targeting chat data, hardware-based collection tools such as a malicious power bank, and spreadsheets identifying overseas targets in more than 20 countries, alongside evidence of large-scale data theft from India, South Korea, and Taiwan. The Kazakhstan **Daryn Online** and Tanzania **BRELA** breach reports describe unrelated criminal data-sale listings and do not match the China-focused state-linked leak activity covered in the relevant reporting.
Mar 25, 2026
Leaks Expose BlackBasta’s Supporting Infrastructure and China-Linked KnownSec Espionage Pipeline
Two major leak-driven investigations detailed how criminal and state-aligned cyber operations are enabled by supporting ecosystems. Internal chat logs attributed to the **BlackBasta** ransomware group—reportedly ~200,000 messages in a leaked JSON archive—were followed by a separate database leak tied to *Media Land*, which investigators linked to **Yalishanda**, a long-running bulletproof hosting provider allegedly used to support ransomware infrastructure (including server configurations, customer records, user accounts, and cryptocurrency wallet data). Separately, a large leak from Beijing-based security firm **KnownSec** was reported to expose a “vertically integrated” contractor model supporting China’s **Ministry of Public Security**, including the *ZoomEye* internet intelligence platform integrated with a classified “TargetDB” and references to offensive tooling (e.g., **GhostX**) used for reconnaissance, intrusion, and persistence. Other items in the set were not about these leak-driven exposures and instead covered unrelated topics: a PR firm’s Wikipedia manipulation (disinformation), a Citizen Lab job posting, generic ransomware resilience guidance, a general cyber-attacks timeline, a vendor’s 2026 threat landscape outlook, a law-enforcement disruption of a ransomware crew in Ukraine/Germany, a podcast on vulnerability management/incident response, an Olympics cybersecurity risk report, German legislative proposals expanding BND hacking/surveillance powers, and a malware-newsletter link roundup. Those references do not materially add to the specific story of the BlackBasta/Yalishanda infrastructure leaks or the KnownSec leak and should be treated as separate reporting streams.
Mar 21, 2026
I-Soon Leak Exposes Chinese State-Linked Hacking Operations
A leaked trove of internal files from Chinese contractor **I-Soon** exposed tools, target lists, pricing documents, and operational details tied to cyber-espionage work reportedly conducted on behalf of Chinese government entities. Reporting indicates the material links I-Soon to intrusions and surveillance activity targeting foreign governments, telecommunications providers, ethnic minorities, dissidents, and online platforms, while also outlining services such as account compromise, data theft, social media monitoring, and infrastructure support for offensive operations. The disclosures provide a rare inside view of China’s contractor ecosystem, showing how a private firm allegedly supplied hacking capabilities to public security and intelligence customers through a commercialized menu of services. Researchers and media reports said the leak included screenshots, chat logs, and project records that appeared to document operational workflows, victim targeting, and the broader relationship between state agencies and outsourced cyber operators, offering unusual transparency into how Chinese cyber-espionage campaigns may be organized and monetized.
Jun 7, 2026