Currently, the cybersecurity community is in shock due to the recent Knowsec leaks, which exposed a massive amount of internal data from a Chinese cybersecurity company. A large number of documents from Knowsec, a Chinese cybersecurity firm that is affiliated with the Chinese government, appeared for a brief period of time online, after which they were taken down. Experts quickly set to work to understand what this leaked data means for Chinese cyber strategy and state-backed hacking.
Knownsec itself is anything but an ordinary computer startup. Incorporated in 2007, it soon established itself as a strong supporter in the Chinese cybersecurity industry. The organization is most renowned for ZoomEye, an internet search engine similar to Shodan, which graphically represents publicly available online devices. ZoomEye enabled Knownsec to possess in-depth information about international networking infrastructure. Knownsec also won large governmental contracts, as reports state they extensively collaborated with China’s military as well as intelligence agencies. Even large investments (Tencent in 2015) as well as having more than 900 employees ensued for Knownsec. Basically, Knownsec operated as an intermediate between China’s cyber industry as well as cybersecurity operations conducted by the state. Being in a prestigious position, leakage of information from their infrastructure could have exposed state cybersecurity capabilities.
The Knownsec Breach: A Cache of Secrets
The data breach itself is mind-boggling. A repository of more than 12,000 classified files from Knownsec emerged on GitHub on November 2, 2025, containing files as recent as 2023, indicating a possible recent compromise/exfiltration event by either insiders or hacktivists. As of this writing, no party has taken responsibility for this, but it may well be either an insider event or an operation by hacktivists.
The archive is deemed an “intelligence gold mine” by cybersecurity experts, according to which it contains source code, project plans, as well as internal memos. Primarily, it details China’s cyber weapons, which also include malware for remote accesses as well as hacking tools. There is also an extensive list of foreign surveillance targets indicated in spreadsheets contained in the data breach, as per which it provides “one of the most detailed glimpses ever into China’s cyber warfare tools,” as outlined in a reporting by a news organization.
Advanced Cyber Arsenal Uncovered
What sort of tools did this leak expose? Pretty advanced ones, actually. Researchers uncovered a set of malware and exploits that work across platforms. Knownsec operated Remote Access Trojans (RATs) capable of targeting Windows, Linux, macOS, Android, and even iOS platforms. For instance, an Android-based malware payload could harvest message conversation logs from Chinese messaging applications as well as Telegram messaging services, effectively allowing for targeted surveillance of individuals and groups.
Furthermore, this malicious data reveals devices used in attacks pertaining to hardware itself. This kind of supply-chain-based attack is impressive in terms of planning, going beyond software to use common devices.
First of all, however, what is most apparent from this corpus of documents is technological maturity. While examining Hardware Tools, as well as multi-OS RAT malware, is enough to recognize that Knownsec’s team of developers focused on creating state-level cyber weapons, rather than phishing kits. However, even assuming that standard antivirus software misses this malware, Containment tools could pick up where antiviral protection leaves off. (This is discussed further in relation to identifying this type of malware in relation to Xcitium’s isolation solution, Zero-Dwell, below in this blog post.)
Global Surveillance: The Target List
One of the most disturbing things about this data breach is the database of targeted entities that is stored in the spreadsheets. These state that they have accessed or monitored data from over 80 foreign entities. This data crosses over 20 different national borders. Some of the most targeted entities include critical infrastructure, telecom companies, as well as governmental systems. For example, they accessed 95GB of India’s immigration data, 3 TB of South Korea’s telecom call logs from the telecom company LG U+ telecom, as well as 459GB of Taiwan’s data for road plans, amongst other things.
These figures are anything but arbitrary. They correspond to China’s strategic intentions. Take, for instance, India, which is a competitor in China’s region, South Korea which houses American military bases, or Taiwan, which has long been a point of interest for China. Even more intriguing is that, as observed by StealthMole experts, Knownsec scanned Internet infrastructure in 28 different countries. This data reveals that Knownsec, and by implication China’s cyber actors, engaged in wholesale espionage by mapping foreign infrastructure (via ZoomEye data) to sweep up what they could from vulnerabilities they encountered everywhere they went.
Key data from the leak:
- Leaked logs and files show Massive Exfiltrations: 95 GB of Indian immigration data; 3 TB of South Korean telecom call records; 459 GB of Taiwanese infrastructure plans.
- Worldwide Scope: Targets include Japan, Vietnam, India, Indonesia, Nigeria, the UK, and many others.
- Techniques: Use of insecure “open” servers to steal data, plus custom malware and surveillance tools.
In short, the Knownsec documents reveal a systematic, global espionage effort. China’s state-sponsored hackers were gathering economic, political and tech intelligence from across Asia and beyond. The leak turns a spotlight on these operations, which have usually remained in the shadows.
China’s Cyber Strategy: Context and Ambitions
What does this leakage tell us about China’s cyber doctrine in general? The answer is: quite a lot. China has always regarded cyber warfare as an important element of national intelligence capabilities. The United States has warned that the scale of China’s hacking effort is “unparalleled.” For instance, FBI Director Chris Wray has argued that China’s cyber forces outnumber his cyber agents by at least a 50-to-1 margin, including in 2023, when CISA labeled China as the “number one geostrategic challenge to the United States in cyber-space.”
Concerns about this are emphasized by data from Knownsec, which shows to what extent an established corporation in China was involved in state cyber warfare operations.
Geopolitically, this data breach is significant as it comes at a critical juncture for China’s cyber warfare capabilities, which have been escalating in response to tensions in Asia (over Taiwan, India, for example) as well as in response to international technological rivalry. As in other examples of cyber-espionage, this data dump shows that China’s cyber-espionage infrastructure is incredibly organized and comprehensive in scope, but in this case, also vulnerable to data breaches as discussed.
State-Level Cybersecurity Concerns Beyond China: The Kaspersky Ban
The Knownsec incident also highlights the fact that nation-states are moving towards viewing the issue of cybersecurity through the prism of geopolitical rivalries. This is evident in the fact that the United States government recently banned the use of Kaspersky security software across all national government systems and also banned the sale of such software within the United States. This action is a result of the fact that the national security of the United States could be vulnerable to the influence of a company operating within a rival nation, even if no wrongdoing has yet been shown.
The implications of this are that Kaspersky has historically been acknowledged within the industry as a technically competent security provider with good malware analysis capabilities. Nevertheless, the fact that Kaspersky’s competence and supply chains are subject to a strategic competitor’s influence has meant that Washington has re-evaluated the criteria used within the cyber security industry. The cyber security industry is therefore no longer defined through competence but through geopolitical alliances and the risk of forceful influence.
With all of these things considered, the ban on Kaspersky is similar to the information that the Knownsec data dump provides concerning a shift that the governments of the world are witnessing, and that is a shift towards the idea of digital sovereignty and the desire to distance themselves from the influence of other technologies that could lead to vulnerabilities.
Implications for Cybersecurity
For tech enthusiasts, however, the Knownsec files present a contradictory scenario. While they also constitute an important source of threat intelligence, analysis of the leaked malware data, as well as intrusions, would force cybersecurity teams to harden their defenses. The level of detail, ranging from code to processes, is unprecedented in nature. According to an expert, this data leakage has indicated, in essence, the complicity between cybersecurity companies in the private sector, including those of a geopolitical nature, and state-backed cyber-attack operations themselves.
However, this vulnerability could also end up equipping malicious actors. (PentestNews discusses “copycat campaigns” in this scenario, in case of widespread use of this code.) Furthermore, this data breach in itself also demonstrates vulnerabilities for any organization, as a cybersecurity firm itself having vulnerabilities in its systems, whether from hacking or insiders, makes no organization completely secure.
The Knownsec incident is far from an isolated event. Look back at previous leaks, such as i-SOON, which exposed Chinese contractors’ cyber operations, to see that they, in turn, have uncovered more of Beijing’s cyber operations. These incidents prove that China is very active in cyber operations for intelligence gathering purposes.
Conclusion : Cybersecurity in the Era of State-Sponsored Threats
The Knownsec leak exposes a hard truth: organizations fail the moment they rely on detecting threats after they’ve already begun — especially in a world where state-backed tools silently infiltrate trusted systems at scale. Modern attackers don’t announce themselves; they move quietly, persistently, and invisibly long before traditional defenses can react.
The takeaway is simple: if a state-aligned cyber powerhouse can be breached, anyone can.
Traditional, detection-based tools aren’t enough. The malware revealed is stealthy, cross-platform, and engineered to evade conventional defenses. Organizations need protection that assumes compromise, isolates unknowns instantly, and stops threats before they execute.
That’s where Xcitium’s Advanced EDR changes the game. Its real-time Kernel-Level API Virtualization with instant isolation intercepts unknown activity at the kernel boundary, forcing it to run safely inside a virtual layer—fully separated from your real system.
Zero dwell time.
Zero exposure.
Zero compromise.
While others scramble to detect threats, you’ve already neutralized them. In an era of state-level attacks, Xcitium eliminates the window of opportunity before it ever opens.
Discover how to protect your endpoints with Xcitium’s Advanced EDR.
