Knownsec leak unmasks secret cyberweapons and role in China’s state-linked spying

Published: 4 January 2026
Last updated: 4 January 2026
knownsec
Image by Cybernews.

A leak from Knownsec, a major Chinese cybersecurity firm, exposes how the firm operated far beyond the role of a conventional defense vendor. It combined the development of cyberweapons with large-scale intelligence collection to support state-linked cyber operations.

Resecurity, a cybersecurity company, announced that it has acquired and analyzed the complete data set of leaked documents, providing a glimpse into the Chinese cyber ecosystem.

Over 12,000 classified documents leaked from Knownsec were sold on the dark web forum by a threat actor using the moniker t1g3r around November 7, 2025. However, the data reappeared on the dark web later in December and was offered for sale again.

ADVERTISEMENT

Knownsec, officially known as Beijing Knownsec Information Technology, is a prominent Chinese cybersecurity company providing “Internet Aegis” and "Enterprise Digital Fortress" systems, as well as a global vulnerability-scanning and network mapping tool, ZoomEye, similar to Shodan or Censys.

The leak likely stemmed from an insider, such as a rogue employee, rather than an external hack. Researchers suspect that an internal power struggle occurred within the company.

knownsec-leak

“Knownsec appears to combine commercial security products with large-scale data aggregation, offensive tooling, and close collaboration with government, public security, and military entities,” Resecurity said in the report on the Knownsec data breach.

Internal files show that the company was deeply involved in offensive cyber activity. Its arsenal includes custom malware, remote-access toolkits, and an email content interception system.

Knownsec also collected massive datasets of stolen data from several countries, and surveilled targets in India, South Korea, Taiwan, Japan, Vietnam, the UK, and other countries.

The stolen data includes 95 GB of Indian immigration records, 3 TB of South Korean call logs from LG U Plus, and 459 GB of Taiwanese transport data.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us
ADVERTISEMENT

“The breadth of datasets, the nature of the capabilities shown, and the number of state-linked projects indicate a role that aligns with national-level intelligence collection, cyber-operations support, and network infrastructure mapping,” the Resecurity report reads.

Chinese government and state media denied the awareness of the leak incident and downplayed it, stating that China “firmly opposes and combats all forms of cyberattacks.”

What Knownsec capabilities the leak unveils?

The company had developed “a sophisticated array of cyber tools”, including Remote Access Trojans (RATs) for Linux, Windows, macOS, iOS, Android, allowing persistent remote access.

Its remote control system, dubbed T-Horse, targeted Windows systems, enabling file browsing, remote management, screen monitoring, keyboard capturing, credential extraction, offline operation, and notifications for online and offline status.

The specifications claimed that the service offered as a yearly subscription evaded over 40 major antivirus applications and host-based firewalls.

Another “product,” called Un-Mail, was a solution for data exfiltration from compromised email accounts from both Chinese and foreign email providers. It used cross-site scripting (XSS) to gather email login credentials and other data.

unmail

“By knowing the email account, password, and cookie information, it can monitor the target's email 24/7,” Resecurity found.

The researchers also found that the company was building “a Critical Infrastructure Target Database,” containing information about the organizations’ publicly accessible network devices and their known vulnerabilities.

ADVERTISEMENT

Knownsec had selected 24,241 targets, over 378 million associated IP addresses, and nearly 3.5 million domains, with a “high-priority” focus on defense, arms manufacturing, government, political parties, energy, transportation, telecommunications, broadcasting, finance, healthcare, multimedia, and education.

Most of the data was associated with the US, Canada, Japan, and Russia.

Has my data been leaked?
Check Now

The leak also reveals Knownsec’s public security ties – Chinese military, police, government agencies, and other organizations were identified among the company's active customers.

ZoomEye, a network mapping tool, was reportedly misused internally to feed reconnaissance data into curated lists, targeting foreign telecommunications infrastructure for exploitation activities, including those aimed at Taiwan, among others.

Leaked documents exposed Knownsec’s internal staff lists and organizational structure, as well as locations and details of multiple branches, and links to affiliated companies and other cyber operations teams.

Unlock more exclusive Cybernews content on YouTube.

ADVERTISEMENT
Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT