Knownsec Data Breach Reveals China's Cyber Espionage Tactics

Knownsec data breach cyber espionage Chinese cybersecurity Resecurity ZoomEye Un-Mail Windows T-Horse data leak
Edward Zhou
Edward Zhou

CEO & Co-Founder

 
January 2, 2026 4 min read
Knownsec Data Breach Reveals China's Cyber Espionage Tactics

TL;DR

The Knownsec data breach has exposed a major Chinese cybersecurity firm's espionage tradecraft, including hacking tools and global targets. Analysis of over 12,000 leaked documents reveals sophisticated methods like the 'Un-Mail' eavesdropping platform and 'Windows T-Horse' RCS. This incident highlights the advanced nature of state-sponsored cyber operations and the vast amount of compromised data collected.

Comprehensive up-to-date news coverage, aggregated from sources all over the world by Google News.

Knownsec Data Breach: Espionage Tradecraft Exposed

The Knownsec leak, a major incident of 2025, has revealed the inner workings of a significant Chinese cybersecurity firm with ties to the state. This breach exposed espionage tools, global targets, internal documentation, and evidence of ongoing cyber operations. Resecurity acquired the complete data set and prepared an analysis to increase awareness within the cybersecurity community.

The leaked tradecraft details tools used to monitor and breach foreign governments, critical infrastructure, and private-sector enterprises, as well as to track Chinese companies and individuals.

!Knownsec Data Breach Image courtesy of Resecurity

Timeline and Insider Involvement

Around November 7, 2025, the stolen data was reportedly sold on the Dark Web by an actor known as t1g3r. The data was later offered for sale again in December.

Insider Involvement

Image courtesy of Resecurity

The source of the leak may be an insider, similar to the i-Soon incident.

Scope of the Breach

Knownsec (Beijing Knownsec Information Technology Co., Ltd.) is a major Chinese cybersecurity company with close ties to the Chinese government and military.

Over 12,000 internal documents from Knownsec were leaked, revealing:

  • Hacking Tools: Remote Access Trojans (RATs) designed to compromise various operating systems.
  • Global Targets: Surveillance target lists covering over 20 countries, including India, South Korea, Taiwan, Japan, and the UK.
  • Stolen Data: 95 GB of Indian immigration records, 3 TB of South Korean call logs from LG U Plus, and 459 GB of Taiwanese transport data.

!Compromised Data Image courtesy of Resecurity

Identified Tradecraft

Resecurity identified several tools used in offensive cyber operations, ranging from data theft to tailored Internet surveillance solutions.

Email Content Eavesdropping Platform

One leaked document mentions Un-Mail, an email content eavesdropping system that uses XSS technology to obtain email login credentials and related information.

!Email Eavesdropping Platform Image courtesy of Resecurity

Un-Mail supports Chinese and foreign email providers, including Gmail, Yahoo, and AOL, using methods like password attacks, online login, email forwarding, and cookie manipulation.

!Email Content Image courtesy of Resecurity

The exfiltrated email content is stored in a centralized platform with features for managing multiple targets:

  • Data Overview
  • Data Lists
  • Email Management
  • Sender/Receiver Accounts
  • Transit/Proxy Settings

This tool can also map relationships between senders and receivers, extracting key information for intelligence analysis. Relationship Mapping is an important feature of intelligence analysis.

!Email Relationships Image courtesy of Resecurity

Remote Control System (RCS) - Windows T-Horse

The Windows T-Horse acts as a Remote Control System (RCS), compatible with Windows NT Incore (Windows 2000+) operating systems. It features capabilities similar to Remote Administration Tools (RAT), including file browsing, remote management, screen monitoring, and credential extraction.

!Remote Control System Image courtesy of Resecurity

It can evade over 40 major antivirus applications and utilize covert communication channels through DNS.

Compromised Data of Foreign Countries

Knownsec acquires large volumes of compromised data, focusing on geography, organizations, domain information, and network details. A strong targeting of Japan was identified, along with criteria related to military, government, energy, and transport organizations.

Compromised Data

Image courtesy of Resecurity

Evidence was found of compromised data collection from domestic (Chinese) enterprises and notable foreign enterprises, including Yam.com and Ledger.

!Targeted Enterprises Image courtesy of Resecurity

Network Reconnaissance - ZoomEye

ZoomEye is Knownsec's global vulnerability-scanning and network mapping tool. An extensive dataset related to Taiwan's critical infrastructure organizations was identified, which could be used in ZoomEye or for targeted exploitation activities.

ZoomEye Interface

Image courtesy of Resecurity

The company was building a Critical Infrastructure Target Database (关基目标库) to navigate and prioritize targets, prioritizing countries such as Taiwan, the US, Japan, India, and Korea.

By targets, the following industries have been marked as high-priority: defense, arms manufacturing, government, political parties, energy, transportation, telecommunications, broadcasting, finance, healthcare, multimedia, and education.

Targeted Countries

Image courtesy of Resecurity

ZoomEye is used for reconnaissance, targeting, and exploitation. Operators may upload scans via FTP or add new data offline.

Staff Members

A list of Knownsec employees was identified, referencing departments including Government Affairs and Cloud Defense.

Knownsec Staff

Image courtesy of Resecurity

Another list included engineers, project managers, and interns.

Gopher Security: Your Zero-Trust Solution

In light of these sophisticated threats, Gopher Security offers an AI-powered, post-quantum Zero-Trust cybersecurity architecture. Our platform converges networking and security across devices, apps, and environments, using peer-to-peer encrypted tunnels and quantum-resistant cryptography.

Contact Gopher Security today to learn how we can protect your organization from advanced cyber espionage.

Edward Zhou
Edward Zhou

CEO & Co-Founder

 

CEO & Co-Founder of Gopher Security, leading the development of Post-Quantum cybersecurity technologies and solutions.

Related News

AI-Driven Cybersecurity Innovations: The Future of Threat Prevention
AI agents security

AI-Driven Cybersecurity Innovations: The Future of Threat Prevention

AI agents are prime targets for cyberattacks. Discover evolving threats like prompt injection & AI-powered exploits, and learn how to fortify your defenses. Read now!

By Brandon Woo January 22, 2026 5 min read
common.read_full_article
GootLoader Malware Evades Detection Using Nested ZIP Archives
GootLoader

GootLoader Malware Evades Detection Using Nested ZIP Archives

GootLoader is back with advanced tricks, using malformed ZIPs to bypass security & target businesses. Learn how to detect and defend against this threat. Protect your assets!

By Edward Zhou January 21, 2026 3 min read
common.read_full_article
WhisperPair Vulnerability: Millions of Bluetooth Devices at Risk
WhisperPair attack

WhisperPair Vulnerability: Millions of Bluetooth Devices at Risk

Millions of Bluetooth audio devices are at risk from the WhisperPair vulnerability. Learn how attackers can eavesdrop and track your devices, and what you can do to protect yourself. Update your firmware now!

By Jim Gagnard January 20, 2026 3 min read
common.read_full_article
Tech Hiring Growth: 12-15% Increase in AI and Data Jobs by 2026
India tech job market

Tech Hiring Growth: 12-15% Increase in AI and Data Jobs by 2026

India's tech job market is set for a 12-15% surge in 2026, creating 1.25 lakh roles. Discover key sectors and skills in demand. Read more!

By Edward Zhou January 19, 2026 3 min read
common.read_full_article