I-Soon Leak Exposes Chinese State-Linked Hacking Operations
A leaked trove of internal files from Chinese contractor I-Soon exposed tools, target lists, pricing documents, and operational details tied to cyber-espionage work reportedly conducted on behalf of Chinese government entities. Reporting indicates the material links I-Soon to intrusions and surveillance activity targeting foreign governments, telecommunications providers, ethnic minorities, dissidents, and online platforms, while also outlining services such as account compromise, data theft, social media monitoring, and infrastructure support for offensive operations.
The disclosures provide a rare inside view of China’s contractor ecosystem, showing how a private firm allegedly supplied hacking capabilities to public security and intelligence customers through a commercialized menu of services. Researchers and media reports said the leak included screenshots, chat logs, and project records that appeared to document operational workflows, victim targeting, and the broader relationship between state agencies and outsourced cyber operators, offering unusual transparency into how Chinese cyber-espionage campaigns may be organized and monetized.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Researchers report Chinese APT campaigns targeting ASEAN-linked entities
On or around the March 2024 ASEAN-Australia Special Summit, Palo Alto Networks Unit 42 observed Mustang Panda targeting organizations in Myanmar, the Philippines, Japan, and Singapore, while also noting a separate breach of an ASEAN-affiliated victim. Trend Micro separately reported Earth Krahang had targeted 116 entities in 35 countries since early 2022, with overlaps suggesting links to Earth Lusca and contractor I-Soon.
Researchers analyze leak and detail I-Soon's cyber operations
Security researchers and media outlets analyzed the leaked I-Soon materials and published findings describing the company's offensive cyber capabilities, pricing, victim targeting, and relationships with Chinese state customers. These reports framed the leak as a rare window into China's contractor-based cyber ecosystem.
Large cache of I-Soon internal files leaks online
A substantial trove of internal documents, chat logs, contracts, and tooling information from Chinese cybersecurity contractor I-Soon was posted publicly, exposing details of the firm's operations and customers. The leak revealed apparent links between I-Soon and Chinese government and public security entities.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Two Chinese APT Groups Ramp Up Cyber Espionage Against ASEAN Countries
thehackernews.com
Open sourceHacking firm I-Soon data leak revealed Chinese gov hacking capabilities
securityaffairs.com
Open sourceUnmasking I-Soon | The Leak That Revealed China's Cyber Operations | SentinelOne
sentinelone.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
KnownSec Data Breach Exposes Chinese Cyber Tools and Global Target Lists
Chinese cybersecurity firm KnownSec suffered a significant data breach, resulting in the leak of over 12,000 internal documents. The files, briefly posted on GitHub before removal, reportedly include details on KnownSec's contracts with Chinese government and military entities, internal hacking tools, and a spreadsheet listing 80 overseas targets. Analysis of the leaked data suggests the presence of remote access trojans (RATs) capable of compromising Linux, Windows, macOS, iOS, and Android systems, with some tools able to extract data from popular messaging apps such as Telegram and Chinese platforms. The breach also exposed large datasets, including 95GB of Indian immigration data, 3TB of call records from South Korea's LG U Plus, and 459GB of Taiwanese road planning data. Security researchers and analysts have described the leak as an intelligence gold mine, providing rare insight into the operations of a major Chinese cyber contractor. While the exact motivation behind the leak remains unclear—whether it was the act of a disgruntled insider or an external hack-and-dump operation—the incident highlights the scale and scope of KnownSec's cyber activities, including its role in mapping foreign digital infrastructure and developing tools for state-sponsored operations. The exposure of these documents is likely to have significant implications for both Chinese cyber operations and the security of the affected international targets.
Mar 21, 2026
Alleged Leak of Chinese Military-Linked Data and Knownsec Cyber Operations Documents
A broad exposure of **Chinese state-linked sensitive data** resurfaced across underground and open reporting, combining claims of a massive leak from the **National Super Computer Center in Tianjin** with renewed circulation of previously stolen **Knownsec** corporate documents. One report described a threat actor using the name `airborneshark1` and the alias **Flaming China** to advertise an alleged **10 PB** dataset purportedly taken from the NSCC, a government-owned high-performance computing environment used by academic institutions, state-owned enterprises, and military-affiliated research partners. The available sample data was assessed by the source as likely genuine, although the full scale of the claimed exfiltration remains unverified and may imply prolonged access or insider assistance if authentic. Separately, a partial re-release of the **Knownsec** leak revived reporting on more than **12,000 classified documents** allegedly exposing the internal capabilities of a major Chinese cybersecurity firm tied to government and military work. The leaked material reportedly included multi-platform **RATs**, Android malware targeting chat data, hardware-based collection tools such as a malicious power bank, and spreadsheets identifying overseas targets in more than 20 countries, alongside evidence of large-scale data theft from India, South Korea, and Taiwan. The Kazakhstan **Daryn Online** and Tanzania **BRELA** breach reports describe unrelated criminal data-sale listings and do not match the China-focused state-linked leak activity covered in the relevant reporting.
Mar 25, 2026
China-Linked Espionage Targeting U.S. Government and Technology Talent
U.S. authorities and researchers are highlighting **China-linked espionage** that increasingly leverages online recruitment and employment channels to access sensitive information. Reporting on recent federal cases describes foreign intelligence services posing as consulting firms, research groups, or recruiters to approach current and former U.S. government personnel—often starting via email or job platforms and escalating through staged interviews, fake websites, and payment offers—to solicit **classified or sensitive information**; multiple Justice Department actions in 2025 reportedly involved such virtual-first recruitment approaches. Separately, a former Google engineer, **Linwei Ding**, was found guilty of **economic espionage and trade secret theft** after prosecutors said he exfiltrated over 2,000 pages of confidential AI supercomputing documents (including TPU/GPU architecture details, orchestration software, SmartNIC networking designs, and internal system configurations) and uploaded them to a personal cloud account while maintaining undisclosed ties to China-based companies and engaging with a Shanghai-sponsored talent program. Broader context from CSIS’ long-running survey of Chinese espionage cases underscores that these incidents fit a sustained pattern since 2000 spanning both **human intelligence** and **cyber-enabled theft** targeting U.S. government and commercial technologies, while noting open-source case lists likely undercount the true scope.
Mar 21, 2026