Cyber Analysis Group - CyberAGroup - OSINT Darkweb Investigations  - Insider Threat - Crypto - Online threat & exposure - SOCMINT - Canadian

‹ Back

Earlier this month, reports circulated widely across dark web and cybersecurity communities regarding a significant data breach involving the Chinese cybersecurity firm Knownsec. The leaked materials, reported as comprising over 12,000 internal documents, allegedly appeared on GitHub prior to being quickly removed. These documents are noted to reveal Knownsec’s support for, and involvement in, offensive cyber operations attributed to the People's Republic of China. At this time, CyberAGroup has not independently verified the existence of the GitHub repository or complete data leak.

 

CyberAGroup can verify that the user t1g3r on a Dark web forum was offering to sell 12,000 files of “KNOWNSEC – Chinese infosec company data”  on 2025 10 31 and posted 67 screenshots of the data to promote the sale. On 2025 11 07, t1g3r edited his post noting the data had been sold.

 

 

Analysis of the sample data published suggests that the information spans from 2017 to late 2023 and discloses extensive offensive cyber operations conducted by Knownsec on behalf of the PRC government. While the authenticity of these samples cannot be independently verified, the following provides a summary of the data, which was originally in simplified Chinese:

 

SAMPLE SUMMARY:

 

The complete collection of sample documents details a highly structured, state-of-the-art operation by the Chinese cybersecurity firm, KnownSec, revealing their dual-purpose capabilities in global intelligence and offensive cyber tooling, supported by extensive data collection and deep ties to the Chinese state apparatus.

 

1) The company explicitly quantifies the substantial strategic and financial value of its core data assets (estimated annual revenue in RMB):

 

a) ZoomEye Cyberspace Radar Data (≈ ¥8M - ¥10M): Used for continuous monitoring of the global IPv4 space and rapid vulnerability impact assessment.

 

b) Key Target Database (≈ ¥5M - ¥8M): Used for strategic decision-making and business expansion, covering 26 countries/regions and specific targets.

 

c) Vulnerability Data (≈ ¥3M - ¥5M): Provides cutting-edge defensive and offensive intelligence (0-Day/N-Day research) to high-end government and enterprise clients.

 

2) “Core Platforms and Project Focus”

 

a) The "ZoomEye Network Radar" is a global reconnaissance platform that continuously scans the IPv4 address space, identifying hundreds of thousands of network component fingerprints in each cycle. It enables rapid vulnerability assessment and supports large-scale asset discovery by leveraging advanced search syntax and data fusion to expand coverage. Development efforts focus on integrating modules for powerful scanning (like ZMap and NMAP), achieving near-complete coverage in targeted regions, and refining intelligence for threat hunting and incident response.

 

b) The "404 Security Research Project" specializes in vulnerability research and penetration testing. Its R&D activities center on discovering and exploiting both zero-day and n-day vulnerabilities. The project team provides technical white papers, proof-of-concept exploit code, and prioritized emergency response during major security incidents. Their internal training and published research establish a strong foundation for advanced attack and defense capabilities.

 

3) “Offensive Capabilities: The GHostX Suite"
The GHostX product line includes advanced tools for covert cyber operations:
    
a) "Internet Virtual Identity Surveillance System":

-Function: Tracing targets, bypassing IP anonymization (VPN/proxy), and extracting "mobile privacy information, social media IDs, browser passwords, and cookies."

-Attacks: Features include "keylogging, screen capturing, phishing, notification hijacking, and local file extraction."
    
b) "Windows Remote Control System (Trojan)":

-Function: Persistent RAT offering file browsing, process management, and credential extraction.

-Evasion: Designed to "evade over 40 mainstream anti-virus products" (including 360 and Kaspersky).

 

c) "Un-Mail Email Collection Platform":

- Function: Mass email interception (credentials, emails, attachments) from dozens of providers (QQ, Gmail, etc.) using "XSS, cookies, IMAP, and POP."

 

4) "Data Collection and Client Profile"

 

a)"Massive Data Stores": The Hive data warehouse contains evidence of extensive leaked data collection, including global records related to "LinkedIn, Facebook, Telegram," and country-specific data from "India, Vietnam, Russia, and Taiwan."

 

b) "Sensitive Client Base": KnownSec services a list of Chinese government and state-owned enterprises, including the "Ministry of Public Security, The People's Bank of China, State Grid, and China Mobile/Telecom."

 

c) "Technical Expertise": Detailed slides confirm deep knowledge of network exploitation, including "Krack, Karma, and WEP" attack mechanisms.

 

Although our assessment is based only on the leaked samples which represent only a fraction of the potential data available, it paints a clear picture of a major PRC cybersecurity contractor with both defensive and offensive capabilities, focused on global intelligence gathering and strategic state support. If the full leak exists and is valid, it would deliver an unprecedented look into the mechanics, reach, and scale of China's government-linked cyber espionage industry, exposing tooling, targets, and doctrine that will likely prompt global defensive adjustments and heightened industry vigilance.

 

NOTE: There have been descriptions online of the Knownsec leak that go far beyond what we were able to confirm in the sample data. It appears that the Knownsec data leak is being confused with a Feb 2024 leak from i-Soon (also known as Anxun), a Chinese cybersecurity contractor that works for several Chinese government agencies, including the Ministry of Public Security and reportedly the Ministry of State Security and the People’s Liberation Army. That leak did surface on GitHub and was removed. Reportedly, the i-Soon leak comprised hundreds of files revealing internal chat logs, employee and financial data, product manuals, and business documents detailing cyber espionage tools and foreign hacking operations against governments and telecoms. It exposed i-Soon’s work for Chinese state agencies, including surveillance contracts, victim data, and technical details of hacking products targeting multiple countries.