Partial Leak of Knownsec Corporate Documents Resurfaces With Espionage Tradecraft, Offensive Cyber Tools, and Global Targeting Evidence
A partial leak of Knownsec corporate documents has resurfaced on the dark web, revealing extensive evidence of Chinese state-sponsored cyber espionage operations. The leaked materials expose offensive cyber tools (RATs for multiple OS platforms), hardware attack vectors (malicious power banks), global surveillance target lists across 20+ countries, and massive data exfiltration campaigns including Indian immigration records, South Korean telecom call logs, and Taiwanese infrastructure data. The original breach from November 2025 exposed over 12,000 classified documents demonstrating direct collaboration between Knownsec and Chinese government agencies.
Summary
A partial leak of Knownsec corporate documents has resurfaced on the dark web, revealing extensive evidence of Chinese state-sponsored cyber espionage operations. The leaked materials expose offensive cyber tools (RATs for multiple OS platforms), hardware attack vectors (malicious power banks), global surveillance target lists across 20+ countries, and massive data exfiltration campaigns including Indian immigration records, South Korean telecom call logs, and Taiwanese infrastructure data. The original breach from November 2025 exposed over 12,000 classified documents demonstrating direct collaboration between Knownsec and Chinese government agencies.
Full text
Dark Web Informer - Cyber Threat Intelligence Partial Leak of Knownsec Corporate Documents Resurfaces With Espionage Tradecraft, Offensive Cyber Tools, and Global Targeting Evidence March 18, 2026 - 12:56:35 AM UTC China Cybersecurity / Government Standalone API Access Now Available High-volume threat-intelligence data, automated ingestion endpoints, ransomware feeds, IOC data, and more. View API Unlock Exclusive Cyber Threat Intelligence Powered by DarkWebInformer.com Stay ahead of cyber threats with real-time breach tracking, expert analysis, and high quality evidence - built for security professionals, researchers, journalists, and everyday people who take their privacy seriously. Subscribe Now Quick Facts Date & Time 2026-03-18 00:56:35 UTC Threat Actor Blastoize Victim Knownsec (知道创宇) Industry Cybersecurity / Government Category Corporate Document Leak Leak Status Partial Download Original Breach November 2025 Original Documents 12,000+ Classified Files Price Free (Partial Leak) Network Open Web Country China Severity Critical Incident Overview A threat actor going by Blastoize has posted a partial download of corporate documents from Knownsec, a major Chinese cybersecurity firm with well-documented ties to the Chinese government and military. This is not a new breach but rather a redistribution of data from the original Knownsec leak that first surfaced in November 2025, which has been widely regarded as one of the most significant exposures of state-sponsored cyber capabilities in recent years. The actor references reporting from both Gopher Security and Resecurity that provide extensive analysis of the leaked material. The original breach exposed over 12,000 classified documents and revealed the inner workings of a firm that operates at the intersection of China's commercial cybersecurity sector and its state intelligence apparatus. Key revelations from the original leak include: Offensive Cyber Tools: Remote Access Trojans (RATs) engineered for Linux, Windows, macOS, iOS, and Android, plus Android-specific malware designed to extract message histories from Chinese chat applications and Telegram. Hardware Attack Vectors: Physical devices including a malicious power bank engineered to covertly upload data from victims' devices while appearing to function as a standard charger. Global Target Lists: Spreadsheets documenting over 80 overseas targets across more than 20 countries, including government agencies, telecommunications providers, and critical infrastructure operators. Stolen Data at Scale: Evidence of massive exfiltration operations including 95GB of Indian immigration records, 3TB of South Korean call records from LG U Plus, and 459GB of Taiwanese road planning data. Government Collaboration: Documents showing direct collaboration with Chinese government agencies including Chinese Police No.3 Research Department on data collection and network entity research projects. Internal Surveillance: Tools used not only externally against foreign targets but also internally to track Chinese companies and individuals for intelligence, control, and counterintelligence purposes. The Chinese government has officially denied and downplayed the incident. When questioned, the Chinese Foreign Ministry stated they were unaware of any breach at Knownsec and reiterated that China "firmly opposes and combats all forms of cyberattacks." Resecurity's analysis suggests the source of the original leak was likely an insider (rogue employee) rather than an external hack, drawing parallels to the i-Soon leak that exposed similar state-linked cyber operations in 2024. The fact that this data continues to resurface and circulate months later underscores its significance to the threat intelligence community. Exposed Data Categories Classified Corporate Documents Offensive Cyber Tool Source Code Remote Access Trojans (RATs) Hardware Attack Tool Specifications Global Surveillance Target Lists Government Collaboration Records Stolen Foreign Government Data Telecommunications Intercept Records Critical Infrastructure Intelligence Internal Operational Procedures Image Preview Claim URL Subscriber Access Required The original listing URL and unredacted claim images are available on the Threat Feed and Ransomware Feed for paid subscribers. Subscribe MITRE ATT&CK Mapping T1587.001 Develop Capabilities: Malware Develops custom malware including RATs for multiple operating systems, enabling persistent remote access to compromised targets worldwide. T1195.002 Supply Chain Compromise: Software Uses hardware-based attack tools like modified power banks to covertly exfiltrate data from victims' devices through supply chain manipulation. T1005 Data from Local System Collects massive volumes of data from compromised systems, including immigration records, telecom call logs, and critical infrastructure data across multiple countries. T1059 Command and Scripting Interpreter Deploys cross-platform RATs that execute commands and scripts on victim machines across Linux, Windows, macOS, iOS, and Android environments. T1557 Adversary-in-the-Middle Intercepts communications and data in transit, evidenced by the 3TB of telecom call records exfiltrated from South Korean provider LG U Plus. T1592 Gather Victim Host Information Uses ZoomEye, Knownsec's global vulnerability scanning tool, to map and enumerate target infrastructure, building a Critical Infrastructure Target Database prioritizing Taiwan, the US, Japan, India, and Korea. T1199 Trusted Relationship Leverages Knownsec's position as a trusted cybersecurity provider to access client systems and government networks under the guise of legitimate security services. T1048 Exfiltration Over Alternative Protocol Transfers massive stolen datasets out of target environments using alternative channels, with documented exfiltration of hundreds of gigabytes per operation. Dark Web Informer © 2026 | Cyber Threat IntelligenceDarkWebInformer.com
Indicators of Compromise
- malware — Remote Access Trojans (RATs)
- malware — Android-specific malware
- malware — Malicious power bank
- mitre_attack — T1587.001
- mitre_attack — T1195.002
- mitre_attack — T1005
- mitre_attack — T1199