Leaks Expose BlackBasta’s Supporting Infrastructure and China-Linked KnownSec Espionage Pipeline
Two major leak-driven investigations detailed how criminal and state-aligned cyber operations are enabled by supporting ecosystems. Internal chat logs attributed to the BlackBasta ransomware group—reportedly ~200,000 messages in a leaked JSON archive—were followed by a separate database leak tied to Media Land, which investigators linked to Yalishanda, a long-running bulletproof hosting provider allegedly used to support ransomware infrastructure (including server configurations, customer records, user accounts, and cryptocurrency wallet data). Separately, a large leak from Beijing-based security firm KnownSec was reported to expose a “vertically integrated” contractor model supporting China’s Ministry of Public Security, including the ZoomEye internet intelligence platform integrated with a classified “TargetDB” and references to offensive tooling (e.g., GhostX) used for reconnaissance, intrusion, and persistence.
Other items in the set were not about these leak-driven exposures and instead covered unrelated topics: a PR firm’s Wikipedia manipulation (disinformation), a Citizen Lab job posting, generic ransomware resilience guidance, a general cyber-attacks timeline, a vendor’s 2026 threat landscape outlook, a law-enforcement disruption of a ransomware crew in Ukraine/Germany, a podcast on vulnerability management/incident response, an Olympics cybersecurity risk report, German legislative proposals expanding BND hacking/surveillance powers, and a malware-newsletter link roundup. Those references do not materially add to the specific story of the BlackBasta/Yalishanda infrastructure leaks or the KnownSec leak and should be treated as separate reporting streams.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Leaked KnownSec files detail ZoomEye, TargetDB, and offensive tools
The leaked KnownSec materials described ZoomEye feeding a classified TargetDB that allegedly tracked more than 24,000 organizations and 378 million IP addresses across 26 regions. They also identified tools including GhostX, Un-Mail, and Passive Radar, along with an offensive research unit called 404 Lab and a breached-credential data lake.
KnownSec leak exposes alleged state-aligned cyber-espionage pipeline
By January 2026, leaked internal KnownSec documents reportedly revealed how the Beijing-based firm supported China's Ministry of Public Security and other state entities with offensive cyber capabilities. The materials described a vertically integrated system for reconnaissance, intrusion, and long-term surveillance.
OFAC sanctions Media Land and Data Center Kirishi
On November 19, 2025, OFAC, coordinated with Australia and the United Kingdom, sanctioned Media Land and its subsidiary Data Center Kirishi. The action also identified Aleksandr Volosovik and Kirill Zatolokin as key individuals supporting the infrastructure.
Second leak exposes Media Land database tied to ransomware infrastructure
In March 2025, a second leak released a database associated with Media Land, a seemingly legitimate Russian business. The data reportedly revealed infrastructure and customer details connecting Media Land to ransomware operations and to Yalishanda.
ExploitWhispers leaks BlackBasta internal communications
In February 2025, a Telegram user named ExploitWhispers leaked BlackBasta's internal communications, publishing a JSON archive of about 200,000 messages. The leak reportedly exposed real-world identities and operational details linked to the ransomware group.
BlackBasta leaked chat archive ends in September 2024
The exposed JSON archive of roughly 200,000 BlackBasta messages extended through September 2024. The material reportedly documented the group's infrastructure use and internal coordination over that period.
BlackBasta internal chats later leaked begin in September 2023
A large archive of BlackBasta internal communications that was later exposed covered messages from September 2023 through September 2024. These chats reportedly revealed operational details and identities tied to the ransomware group.
Yalishanda begins operating as a bulletproof hosting provider
The leaked reporting says Yalishanda had been operating since late 2009, allegedly providing hosting and technical support that later enabled ransomware activity. It was described as part of the infrastructure layer supporting groups such as BlackBasta.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Alleged Leak of Chinese Military-Linked Data and Knownsec Cyber Operations Documents
A broad exposure of **Chinese state-linked sensitive data** resurfaced across underground and open reporting, combining claims of a massive leak from the **National Super Computer Center in Tianjin** with renewed circulation of previously stolen **Knownsec** corporate documents. One report described a threat actor using the name `airborneshark1` and the alias **Flaming China** to advertise an alleged **10 PB** dataset purportedly taken from the NSCC, a government-owned high-performance computing environment used by academic institutions, state-owned enterprises, and military-affiliated research partners. The available sample data was assessed by the source as likely genuine, although the full scale of the claimed exfiltration remains unverified and may imply prolonged access or insider assistance if authentic. Separately, a partial re-release of the **Knownsec** leak revived reporting on more than **12,000 classified documents** allegedly exposing the internal capabilities of a major Chinese cybersecurity firm tied to government and military work. The leaked material reportedly included multi-platform **RATs**, Android malware targeting chat data, hardware-based collection tools such as a malicious power bank, and spreadsheets identifying overseas targets in more than 20 countries, alongside evidence of large-scale data theft from India, South Korea, and Taiwan. The Kazakhstan **Daryn Online** and Tanzania **BRELA** breach reports describe unrelated criminal data-sale listings and do not match the China-focused state-linked leak activity covered in the relevant reporting.
Mar 25, 2026
Multiple Unrelated Cybersecurity Reports: Iranian Spear-Phishing, Alleged Mexican Government Data Leak, and Lazarus ‘Contagious Interview’ Findings
The provided items do not describe a single cohesive cybersecurity event; they cover **separate incidents and research**. Dark Reading reported an **Iran-linked credential theft and surveillance effort** targeting people of interest abroad (including Iranian expats and regional targets) using **spear-phishing and social engineering**, including lures delivered via **WhatsApp** and phishing infrastructure that was rapidly stood up and taken down as campaigns shifted targets. Separately, Dark Reading covered allegations that the **Chronus Group** leaked **2.3TB** of data purportedly sourced from **25+ Mexican government institutions**, claiming exposure affecting **36 million** people; Mexico’s **ATDT** disputed that it represented a new breach, stating it appeared to be **aggregated data from prior incidents** and that impacted systems were largely **obsolete, third-party administered** state-level platforms. In parallel, Red Asgard published new technical findings on the **Lazarus-linked “Contagious Interview”** activity targeting **developers/freelancers** via fake recruiting, reporting recovery of **241,764 plaintext credentials** from unauthenticated endpoints, identification of an **AnyDesk-based RAT** with persistent remote access and hardcoded attacker credentials, and additional detection content (e.g., **YARA** and **Snort** rules).
Mar 21, 2026
Leaked Babuk and LockBit Code Fuels SEXi, Key Group, and Mallox Ransomware
Ransomware operators are increasingly building campaigns around leaked, published, purchased, or affiliate-provided malware instead of developing their own tooling, lowering the barrier to entry for new and mid-tier cybercrime groups. Research highlighted **SEXi** as a group targeting VMware **ESXi** environments with leaked **Babuk** code for Linux and leaked **LockBit** code for Windows, showing how previously exposed ransomware builders continue to enable active attacks across mixed environments. The same reporting identified **Key Group** as an operator that has rotated through at least eight ransomware families since 2022 while relying on comparatively unsophisticated infrastructure, and **Mallox** as an operation that evolved from a private group into an affiliate program with selective recruitment. The findings indicate that leaked ransomware variants remain operationally dangerous even when used by less mature actors, because affiliate models, niche targeting, and access to proven encryptors can still support effective intrusions and larger-scale **big game hunting** campaigns.
Apr 1, 2022