Knownsec Data Breach: A Trove of Espionage Tradecraft with an Insider Narrative

Estimated reading time: 11 minutes

Key Takeaways

  • The Knownsec data breach exposed sophisticated state-linked Chinese espionage tools, global targeting methodologies, and internal documentation, offering critical insights into state-sponsored cyber operations.
  • The breach was likely facilitated by an *insider*, possibly a rogue employee, indicating internal power struggles mirroring previous incidents like the i-Soon leak.
  • Leaked assets include advanced hacking tools like the “Un-Mail” email eavesdropping platform, “Windows T-Horse” Remote Control System (RCS) designed to evade over 40 antivirus applications, and extensive target lists spanning more than 20 countries.
  • Knownsec maintains deep affiliations with the Chinese government, military, and public safety departments, utilizing products like ZoomEye for network reconnaissance and “Chuangyu Shield” for cyber defense.
  • The incident underscores the urgent need for comprehensive cyber threat intelligence, dark web monitoring, advanced breach detection, and robust supply-chain information security to counter sophisticated state-backed threats.

Table of Contents

The cybersecurity community has processed numerous significant incidents throughout 2025, but the Knownsec data breach: a trove of espionage tradecraft with an insider narrative stands out. This incident exposed the internal operations of a prominent state-linked Chinese cybersecurity firm, revealing advanced espionage tools, global targeting methodologies, internal documentation, and evidence of cyber operations aimed at other countries. Despite official denials and downplaying from the Chinese government, this breach provides critical insight into the capabilities and targets of state-sponsored cyber activities. Resecurity’s comprehensive analysis, based on a complete acquired dataset, aims to increase awareness within the cybersecurity community regarding the nature and implications of such sophisticated operations.

The leaked Knownsec tradecraft details the tools used externally to monitor and compromise targets, including foreign governments, critical infrastructure, and private-sector enterprises. It also revealed internal mechanisms for tracking Chinese companies and individuals for intelligence, control, and counterintelligence purposes. The exposure of these tools contributes to diverting suspicion from entities acting on behalf of the Chinese government, complicating attribution efforts, and potentially fueling internal power struggles, all while preserving plausible deniability for the actors involved.

The Knownsec Breach: An Overview

The timeline of the Knownsec data breach indicates that around November 7, 2025, the stolen data was offered for sale on the dark web by an actor operating under the alias “t1g3r,” a moniker without prior history, suggesting its creation was specifically to publicize this leak. The same data set reappeared for sale on another underground community in December. This incident exhibits characteristics similar to the i-Soon leak, involving another Chinese cybersecurity venture engaged in offensive cyber operations and espionage. However, the root cause in the Knownsec case is not attributed to random hacking but points to a more delicate issue: insider activity.

Insights gathered by our threat intelligence teams indicate the source of the leak likely originated from an insider, potentially a rogue employee. This assessment is corroborated by comments from other actors familiar with the situation, who suggested the leak was a tactic to instigate an internal power struggle, mirroring the modus operandi observed in the Shanghai i-Soon incident.

Knownsec, officially Beijing Knownsec Information Technology Co., Ltd., is a major Chinese cybersecurity company recognized for its close affiliations with the Chinese government and military. The company is known for its “Internet Aegis” and “Enterprise Digital Fortress” systems, in addition to its association with ZoomEye, a global vulnerability-scanning and network mapping tool.

The breach led to the leakage of over 12,000 internal documents from Knownsec. These documents provide a rare look into China’s state-backed cyber arsenal and operational scope. Materials briefly posted on GitHub disclosed:

  • Hacking Tools: A collection of cyber tools, including Remote Access Trojans (RATs) designed to compromise various operating systems (Linux, Windows, macOS, iOS, Android), allowing persistent remote access.
  • Global Targets: Extensive surveillance target lists spanning more than 20 countries and regions, including India, South Korea, Taiwan, Japan, Vietnam, and the UK.
  • Stolen Data: Evidence of large volumes of exfiltrated data, such as 95 GB of Indian immigration records, 3 TB of South Korean call logs from LG U Plus, and 459 GB of Taiwanese transport data.

The remaining data was made available for sale on various underground communities and dark web marketplaces. This exposure of sensitive information on these platforms underscores the ongoing challenge of dark web monitoring service requirements for organizations seeking to track their compromised data.

Sophisticated Espionage Tradecraft and Tooling

Analysis of the leaked materials by Resecurity identified several tools developed by Knownsec for offensive cyber operations. These tools encompass capabilities for data theft and the deployment of malicious code, alongside more specialized solutions for Internet surveillance. This tradecraft appears designed to fulfill the specific requirements of Knownsec’s state-side customers, and it is plausible that some tools are also used by the company itself for intelligence gathering worldwide.

Email Content Eavesdropping Platform

One tool, “Un-Mail,” facilitates email content acquisition through multiple methods:

  • Password Attack
  • Online Login (via Web)
  • Email Forwarding
  • Data Overview and Lists
  • Email Management, Sender/Receiver Accounts, Transit/Proxy Settings
  • Account deletion capabilities

The “Email Management” interface includes fields for Number, Title, Sender, Receiver, Password, Host, Progress Status, Creation Time, and Actions. A core feature of this tool is its ability to map relationships between senders and receivers, leveraging intelligence analysis techniques to detect and extract critical data points from emails. This visualization capability allows for a deeper understanding of communication networks.

Remote Control System (RCS) – Windows T-Horse

Another identified solution is a Remote Control System (RCS), internally codenamed “Windows T-Horse.” Compatible with Windows NT Incore (Windows 2000+), this system shares functionalities with Remote Administration Tools (RATs), including file browsing, remote management, screen monitoring, keyboard capturing, credential extraction, and offline operation with online/offline notifications. Specifications suggest its ability to evade over 40 major antivirus applications, such as Qihoo 360, Avira, and Kaspersky, as well as host-based firewalls. The product is reportedly offered via a yearly subscription, bypasses User Account Control (UAC), and utilizes covert communication channels via DNS. The presence of such tools highlights the importance of advanced breach detection mechanisms that extend beyond signature-based methods.

Compromised Data of Foreign Countries

Knownsec’s operations involve the acquisition of substantial volumes of compromised data. This data is subjected to analytics based on geography, identified organizations, domain information, and network details. A significant focus was observed on Japan, with targeting criteria related to military, government, energy, and transportation organizations. Evidence also indicated the collection of compromised data from domestic Chinese enterprises, including Chinese Bidding, Xinbaopeizi, SINOVAC, and government agencies like 12306 (Chinese Railway) and cdcyl.org (Communist Youth League of China). These lists contained password data, likely for cross-referencing to gain access to accounts associated with specific individuals.

Lists of foreign enterprises included Yam.com (a Taiwanese email provider), Kaungba (a Chinese crypto-mining service), and Ledger (a French crypto-wallet company). The aggregation of data from previously breached organizations suggests a strategy to identify targets of interest, with “Unknown” entries possibly indicating data obtained from third parties or purchased on dark web marketplaces. This practice reinforces the critical need for underground forum intelligence to anticipate and respond to such aggregation efforts.

Network Reconnaissance – ZoomEye

Extensive datasets related to Taiwan’s critical infrastructure organizations and agencies were identified, detailing publicly accessible network devices. This data likely feeds into Knownsec’s ZoomEye product or is used for targeted exploitation activities against Taiwan. Documents also referenced “1-day” exploits, intended to facilitate successful exploitation based on network reconnaissance results. One document illustrates this: “XXX company’s VPN has been exposed to an 1day loophole, and there are about 100,000 VPN devices, on the internet, of XXX company – searched via ZoomEye data. Because there are so many IPs, we’re unsure of which IPs we should target to continue our objectives.”

Knownsec developed a Critical Infrastructure Target Database (关基目标库) to prioritize and navigate these targets. Prioritized countries for targeting included Taiwan, the US, Japan, India, Korea, Vietnam, Singapore, Australia, Thailand, Malaysia, the UK, Canada, New Zealand, Philippines, Brunei, Guam, Indonesia, Myanmar, Russia, Ukraine, Mongolia, Macau, Pakistan, and Poland. High-priority industries included defense, arms manufacturing, government, political parties, energy, transportation, telecommunications, broadcasting, finance, healthcare, multimedia, and education. The largest number of artifacts collected were associated with the United States, Canada, Japan, and Russia.

ZoomEye Passive-Radar Product

ZoomEye, a key Knownsec product, functions as an alternative to Shodan and similar IPv4/IPv6 scanning platforms for mapping network services and devices. Beyond reconnaissance, the platform is used for targeting and exploitation. Operators can upload scans via FTP or add offline data up to 500 GB, potentially from passively intercepted network traffic (“Offline Datapacks”). Documentation also references ZoomEye integrated systems into DeepSeek, available in a foreign version.

Cyberspace Mapping – Cyber Tradecraft Platform

Cyberspace Mapping, delivered by ZoomEye, targets foreign telecommunication infrastructure. A Zhihu post from Knownsec’s official account detailed its use during the Russo-Ukrainian War for cyberspace mapping. The CEO of Knownsec, Zhao Wei, and colleagues published a book on its technology and applications. ZoomEye Passive-Radar is also part of the Cyberspace Tradecraft Platform, actively used for malicious activities targeting Taiwan, specifically designed as a unified cyber warfare and combat command platform. This project, with an apparent government funding of 39.1 million Chinese Yuan, underscores the strategic nature of these operations.

Nexus with State and Defense

The Knownsec staff list identified employees across various departments, including Government Affairs and Cloud Defense, located in Beijing, Chengdu, Hong Kong, and Changsha. Another list included engineers, project managers, and interns. Notably, a “NoneNone – None” entry, marked as an EVP, likely indicates a departed employee, possibly Lu Hai, who was publicly listed as an EVP in 2018. Key individuals behind ZoomEye include Li Wei Chen (Vice Chief Executive Officer) and Zhou Yang (R&D lead). The KnownSec 404 Team, also known as SeeBug, is described as a leading global vulnerabilities and risks detection team focusing on Web and IoT threat hunting.

Knownsec maintains significant involvement with the Chinese government, military, and the Public Safety Department. Diagrams illustrate connections with Chinese law enforcement, including the Telecommunication bureau, for R&D, LLM design, and deployment of 创宇盾 (Chuangyu Shield), focusing on Internet safety detection and cyber defense.

创宇盾 (Chuangyu Shield)

Chuangyu Shield provides defense against cyberattacks, utilizing cloud computation, LLMs, and dynamic measurements to counter Injection, XSS, and Zero-Day exploits, again leveraging ZoomEye. It also functions as an anti-LLM crawling tool to block foreign LLM users from accessing information on the Chinese government. Deployed via cloud services, Chuangyu Shield acts as a digital firewall for content deemed inappropriate or illegal under Chinese internet laws, serving clients such as the Chinese National Healthcare Security Bureau, Chinese Police Web Systems, China Merchants Bank, Tencent Security, and China Eastern Airline.

Chinese Defense Industry and Government Connection

Documents confirm active customers of Knownsec include Chinese military and government agencies. Internal units such as “Military Production Line (Radar) Group,” “Military Products (Seebug / ZoomEye) Departments,” and “Gov-Corp Solutions Department” demonstrate these ties. A project titled “Research on Network Entity Data CJ and Integrated Key Technologies” with the Chinese Police No.3 Research Department, with KnownSec responsible for solution design and research, further evidences this connection. The project’s purpose, “Research on Key Technologies for Network Entity Data Collection and Fusion,” aligns with intelligence gathering objectives.

A document referencing a penetration testing project called “404 Security Research” (2021-2022) indicates internal security assessment activities. The discovery of zero-day vulnerabilities in this context, coupled with references to the Russia-Ukraine conflict and Taiwan as targets for “cyber cloud mapping,” suggests a focus on understanding and exploiting vulnerabilities for strategic geopolitical objectives. This cyber cloud mapping, or Cyberspace Mapping – Hardware Radar, is publicly marketed as the ZoomEye Passive-Radar product and is integral to the Cyberspace Tradecraft Platform.

Knownsec’s client list includes the China People’s Police Department, China People’s Bank, State Grid Corporation of China, and various universities and government ministries, alongside private sector partners like Tencent.

The Third Research Institute of Ministry of Public Security (MPS), a Knownsec customer, is a significant state institute with 2200 members, specializing in computer software/hardware, communication equipment, forensic technology, and security systems. Its numerous research departments and affiliated companies like Beijing Ruian Technology Co., Ltd. (54% owned by MPS Third Research Institute) which focuses on LLM-driven information solutions and cybersecurity products, illustrate the depth of state involvement. This extensive network underscores the complexities of supply-chain risk monitoring in dealing with state-linked entities.

Global Reach and Targeting

The Knownsec data breach underscores the global reach of state-sponsored cyber operations. The revealed target lists, covering over 20 countries and spanning critical sectors like defense, government, energy, and finance, indicate a systematic and expansive intelligence collection effort. The sheer volume of compromised data, including immigration records, call logs, and transport data from foreign nations, demonstrates the scale of data exfiltration capabilities.

The geographical distribution of vulnerable MongoDB instances identified in the MongoBleed (CVE-2025-14847) incident, with China, the United States, Germany, Hong Kong, and Singapore showing the highest numbers, further illustrates a broad attack surface that state-linked actors may leverage. The concentration of these vulnerable systems on major cloud providers like Alibaba Cloud, DigitalOcean, and Google LLC highlights the widespread risk of misconfiguration at scale, making them attractive targets for automated exploitation and data exposure across multiple tenants. While MongoBleed is a separate vulnerability, its global prevalence illustrates the digital terrain that sophisticated actors can survey for opportunities.

Operational Security Implications

The Knownsec data breach provides organizations with critical information regarding the operational methods of state-linked cyber actors. The exposure of sophisticated offensive tools, global targeting strategies, and deep integration with government and military entities necessitates a re-evaluation of cybersecurity postures.

For technical readers, understanding the identified tradecraft, such as the Un-Mail eavesdropping platform and the Windows T-Horse RCS, offers insight into specific capabilities to defend against. The ability of T-Horse to evade over 40 antivirus applications and utilize covert communication channels via DNS means that traditional endpoint detection alone is insufficient. Enhanced host-based intrusion detection systems (HIDS) focusing on behavioral anomalies, kernel-level monitoring for unauthorized driver installations (like those seen with HoneyMyte’s kernel-mode rootkit in separate campaigns), and robust network traffic analysis for unusual DNS requests or C2 communication patterns are essential. The details on ZoomEye and its passive-radar product indicate the need for organizations to conduct external network reconnaissance from an attacker’s perspective, identifying their own publicly accessible devices and critical infrastructure components that could be mapped by adversaries. Furthermore, the use of “1-day” exploits emphasizes the urgency of patch management and vulnerability assessment.

For business leaders, the breach reinforces the strategic importance of comprehensive cyber threat intelligence platform capabilities. Knowing that state-linked entities are collecting large volumes of compromised data and targeting specific industries globally means that generic security measures are insufficient. Investment in specialized threat intelligence services that focus on geopolitical motivations, state-sponsored actor profiles, and intelligence from underground communities, including dark web monitoring service and underground forum intelligence, is not merely a technical concern but a strategic imperative for risk management. The extensive list of government and defense clients of Knownsec demonstrates that such firms are embedded in national security apparatuses, making intelligence on their operations directly relevant to understanding potential threats to national and economic security. The insider threat aspect of the Knownsec leak also emphasizes the need for stringent internal access controls, robust employee monitoring, and sophisticated breach detection mechanisms that can identify anomalous behavior within an organization.

Organizations must consider their position within broader supply chains. The involvement of defense industry and government agencies with Knownsec, along with the detailed engineering documents of entities like Thales Alenia Space and Airbus Defence and Space in the ESA breach, underscore the critical nature of supply-chain risk monitoring.

PurpleOps’s Role in Countering Advanced Threats

PurpleOps provides comprehensive cybersecurity solutions that directly address the complexities revealed by the Knownsec data breach and similar sophisticated threats. Our cyber threat intelligence platform integrates global threat landscape analysis, including insights into state-sponsored actor methodologies and their preferred tradecraft. This platform equips organizations with the foresight needed to anticipate and defend against targeted cyber operations, enabling proactive rather than reactive security postures.

Our dark web monitoring service and underground forum intelligence capabilities are designed to detect instances of compromised data, leaked credentials, and discussions pertaining to specific organizations or industries on illicit marketplaces. This is directly relevant to mitigating the risks observed in the Knownsec breach, where stolen data was offered for sale on the dark web. Early detection of such data exposure is crucial for limiting impact and enabling rapid response.

For organizations seeking to validate their defenses against advanced persistent threats (APTs) and sophisticated attack methodologies, PurpleOps offers red team operations and penetration testing. These services simulate real-world attacks, including those employing kernel-mode rootkits and custom RATs like Windows T-Horse, to identify weaknesses in systems, networks, and applications before adversaries exploit them. Our expertise in identifying and mitigating zero-day and 1-day vulnerabilities, as detailed in the Knownsec findings, ensures that client defenses are resilient against similar attack vectors.

Given the revelations about Knownsec’s clients and capabilities, PurpleOps’s services related to supply-chain information security become particularly relevant. We assist organizations in assessing and managing the cybersecurity risks posed by their third-party vendors and partners, helping to establish robust security frameworks across the extended enterprise. This is critical for preventing a breach in one entity from cascading throughout a sensitive supply chain.

Moreover, PurpleOps offers comprehensive breach detection solutions that combine behavioral analytics, network anomaly detection, and endpoint monitoring to identify sophisticated intrusions, even those designed to evade traditional security controls. Our capabilities are engineered to uncover signs of compromise, whether from external state-linked actors or internal insider threats, ensuring that subtle indicators of espionage are not overlooked.

Conclusion

The Knownsec data breach offers a detailed view into the methods and objectives of a state-linked cyber actor, emphasizing the persistent and complex nature of geopolitical cyber espionage. The exposed tools, extensive targeting, and deep integration with national security apparatuses underscore the critical importance of robust cybersecurity defenses and comprehensive threat intelligence. Organizations must move beyond basic security measures to implement advanced strategies that account for sophisticated, state-backed threats and potential insider activities.

To understand how your organization can defend against sophisticated nation-state actors and bolster your cyber defenses, explore PurpleOps’s comprehensive cybersecurity platform and services. Visit us at https://www.purple-ops.io/platform/ or PurpleOps Solutions to learn more about our offerings, including cyber-threat-intelligence, dark-web-monitoring, red-team-operations, , and supply-chain-information-security. Contact us today to discuss your specific security needs.