Knownsec leak unmasks secret cyberweapons and role in China’s state-linked spying

A leak from Knownsec, a major Chinese cybersecurity firm, exposes how the firm operated far beyond the role of a conventional defense vendor. It combined the development of cyberweapons with large-scale intelligence collection to support state-linked cyber operations. Resecurity, a cybersecurity company, announced that it has acquired and analyzed the complete data set of leaked documents. Over 12,000 classified documents leaked from Knownsec were sold on the dark web forum by a threat actor using the moniker t1g3r around November 7, 2025. Knownsec, officially known as Beijing Knownsec Information Technology, is a prominent Chinese cybersecurity company providing systems like “Internet Aegis” and “Enterprise Digital Fortress”, as well as a global vulnerability-scanning and network mapping tool, ZoomEye. The leak likely stemmed from an insider, such as a rogue employee.

“Knownsec appears to combine commercial security products with large-scale data aggregation, offensive tooling, and close collaboration with government, public security, and military entities,” Resecurity said in the report on the Knownsec data breach. Internal files show that the company was deeply involved in offensive cyber activity, and its arsenal includes custom malware, remote-access toolkits, and an email content interception system.

Knownsec also collected massive datasets of stolen data from several countries and surveilled targets in India, South Korea, Taiwan, Japan, Vietnam, the UK, and other countries. The stolen data includes 95 GB of Indian immigration records, 3 TB of South Korean call logs from LG U Plus, and 459 GB of Taiwanese transport data. “The breadth of datasets, the nature of the capabilities shown, and the number of state-linked projects indicate a role that aligns with national-level intelligence collection, cyber-operations support, and network infrastructure mapping,” the Resecurity report reads.

The company had developed “a sophisticated array of cyber tools”, including Remote Access Trojans (RATs) for Linux, Windows, macOS, iOS, and Android, allowing persistent remote access. Its remote control system, dubbed T-Horse, targeted Windows systems, enabling file browsing, remote management, screen monitoring, keyboard capturing, credential extraction, offline operation, and notifications for online and offline status. Another “product,” called Un-Mail, was a solution for data exfiltration from compromised email accounts from both Chinese and foreign email providers. It used cross-site scripting (XSS) to gather email login credentials and other data. “By knowing the email account, password, and cookie information, it can monitor the target’s email 24/7,” Resecurity found. The researchers also found that the company was building “a Critical Infrastructure Target Database,” containing information about the organizations’ publicly accessible network devices and their known vulnerabilities. Knownsec had selected 24,241 targets, over 378 million associated IP addresses, and nearly 3.5 million domains, with a “high-priority” focus on defense, arms manufacturing, government, political parties, energy, transportation, telecommunications, broadcasting, finance, healthcare, multimedia, and education. Most of the data was associated with the US, Canada, Japan, and Russia.

The leak also reveals Knownsec’s public security ties – Chinese military, police, government agencies, and other organizations were identified among the company’s active customers. ZoomEye, a network mapping tool, was reportedly misused internally to feed reconnaissance data into curated lists, targeting foreign telecommunications infrastructure for exploitation activities, including those aimed at Taiwan, among others.

To read the complete article see: https://cybernews.com/security/knownsec-leak-exposes-involvement-in-state-linked-cyber-operations/