GhostX Framework Leak Exposes China’s Offensive Cyber Tools and Data Collection Systems

The GhostX framework has emerged from the larger Knownsec leak as one of the most revealing discoveries in China’s ongoing cyber technology ecosystem. Newly analyzed documents indicate that GhostX is an operational platform created by Knownsec, the same state-linked cybersecurity contractor exposed earlier this year for developing espionage and offensive cyber capabilities. The GhostX framework provides a window into how commercial security vendors in China bridge the gap between defensive products and state-directed intelligence collection.

This article expands on earlier Botcrawl coverage of the Knownsec data breach and the Knownsec leak, focusing specifically on the internal architecture, modules, and implications of the GhostX system. While the previous leaks revealed target lists and global reconnaissance data, the GhostX framework shows the tools and processes that made those operations possible.

Background of the GhostX Leak

The GhostX materials surfaced after the Knownsec breach files began circulating across multiple dark web forums. Among the trove of over 12,000 stolen files were several slide decks, user guides, and interface screenshots referencing a system called GhostX. These documents describe GhostX as an integrated operational platform designed to coordinate reconnaissance, intrusion, credential theft, and data exfiltration under a single command structure.

Knownsec, officially Knownsec Information Technology Co., Ltd., is a Chinese cybersecurity and software company that provides products and consulting services to both commercial clients and government agencies. Its connections to Chinese law enforcement and national security programs have long been public, but the GhostX framework leak confirms that the company’s research extended well beyond defensive security. The materials show software and workflows consistent with active surveillance and exploitation.

• Origin: Files from the broader Knownsec leak verified by multiple cyber intelligence researchers.
• Modules Identified: Un-Mail, Passive Radar, ZoomEye integration, Windows Remote Control, and GhostX Core.
• First Appearance: Training documentation labeled V202309, likely from late 2023.

Architecture of the GhostX Framework

The GhostX framework is modular, combining several existing Knownsec technologies under one interface. Each module appears to perform a different function in the cyber operations lifecycle, from reconnaissance to post-exploitation. GhostX includes automation for data ingestion, report generation, and internal task handoff, suggesting that it was built for scalability and coordinated campaigns.

Main Components Identified

• Un-Mail: An email exploitation tool capable of hijacking webmail accounts through cross-site scripting and cookie theft. It includes templates for phishing and credential replay.
• ZoomEye Integration: Connects GhostX directly to Knownsec’s public vulnerability search engine, turning mass scan results into actionable target sets.
• Passive Radar: A packet capture and network analysis utility that builds internal topologies of compromised environments.
• Windows Remote Control Tool: A remote access implant for persistent access, file collection, and lateral movement inside networks.
• GhostX Core Dashboard: A command center that links modules, assigns operators, and records mission logs.

Screenshots from the GhostX framework leak display a graphical dashboard similar to those used in professional security operation centers. Operators can import ZoomEye data, assign Un-Mail attack templates, and schedule Passive Radar sessions. The interface includes tabs for automation, data collection, and export functions, pointing to an industrialized approach to cyber operations.

Un-Mail: Email Exploitation and Credential Harvesting

The Un-Mail module is the most frequently referenced component in the GhostX framework leak. It automates attacks against online mail systems, allowing operators to bypass authentication, inject scripts, and capture credentials. The documentation claims Un-Mail can target a wide range of webmail providers, including global platforms and Chinese domestic services.

Captured screenshots show Un-Mail’s configuration screens with fields for sender spoofing, embedded payloads, and data export options. A section labeled “cookie replay” appears to automate session hijacking once credentials are obtained. The system also contains an “email forwarding rule” feature that silently redirects inbound messages from compromised accounts to an operator-controlled mailbox.

The presence of Un-Mail inside GhostX demonstrates that Knownsec’s internal tools were designed to perform active exploitation, not just forensic analysis. This distinction makes the GhostX framework one of the most direct links between commercial software development and offensive cyber capability in the Chinese market.

ZoomEye and the Key Target Library

ZoomEye, a public internet scanning engine operated by Knownsec, has been widely used by security researchers for legitimate reconnaissance. The GhostX framework leak, however, shows a private integration between ZoomEye data and an internal database labeled the Key Target Library. This integration turns open-source scanning into a curated target feed for intelligence collection.

The Key Target Library contains classified categories such as telecommunications, military, finance, energy, and political organizations across multiple countries. Leaked visuals show spreadsheets with IP addresses, hostnames, and open ports, accompanied by priority ratings and internal tags. These indicators confirm that ZoomEye’s data was being used to populate live target lists inside GhostX.

One slide labeled “Operational Workflow” explains that operators can select targets directly from the Key Target Library, perform vulnerability verification, and launch Un-Mail or Windows Remote Control modules as follow-on actions. The workflow resembles a full-spectrum attack pipeline rather than a defensive auditing process.

Passive Radar and Network Reconnaissance

Another critical component detailed in the GhostX framework leak is Passive Radar, a packet capture and traffic analysis system. Passive Radar appears designed to map internal networks and identify command nodes, servers, and sensitive data paths once access is achieved. It can also process pcap files and output visual topology maps showing host relationships and communication frequency.

According to the leaked documentation, Passive Radar’s typical use case involved importing traffic samples from compromised endpoints and running analytics to locate valuable assets. The system highlights database servers, credential stores, and administrator workstations, which can then be targeted with GhostX’s Windows Remote Control tool. In practice, this turns GhostX into a near-complete intrusion and lateral movement platform.

Windows Remote Control and Persistence

The GhostX framework leak includes screenshots of a Windows Remote Control module that operates as an implant. It supports file transfer, screen capture, process control, keystroke logging, and shell access. Operators can hide activity through encryption and scheduled callbacks. The module’s documentation also describes a cleanup procedure to remove traces after an operation concludes.

This capability overlaps with known features of Chinese Advanced Persistent Threat (APT) groups such as APT41, Mustang Panda, and RedDelta, suggesting that GhostX may have informed or shared development resources with those operations. While no direct attribution has been confirmed, the similarity in functionality is striking and reinforces the conclusion that the GhostX framework serves offensive rather than defensive objectives.

Comparison to Other Chinese Cyber Platforms

GhostX appears to fill a role similar to China’s other state-affiliated frameworks, including Red Star, Double Dragon, and various custom command-and-control systems. What sets GhostX apart is its corporate origin and its seamless integration with Knownsec’s legitimate research platforms. By embedding offensive capability within a commercial ecosystem, Knownsec effectively masked active operations under the guise of standard security services.

Cyber analysts note that this blending of public and private tools mirrors strategies seen in Russia and Iran, where security contractors often double as offensive research labs. The GhostX framework is one of the clearest examples of this dual-use structure operating at scale within China’s cyber industry.

Global Implications of the GhostX Framework Leak

The exposure of the GhostX framework raises significant concerns for global cybersecurity and supply chain integrity. Countries that rely on Chinese software or data services could unknowingly integrate tools capable of reconnaissance and surveillance. The Key Target Library demonstrates that data gathered through scanning can be directly tied to exploitation, turning benign analytics into offensive infrastructure.

For international regulators, the GhostX revelations will likely prompt deeper scrutiny of Chinese technology vendors that participate in both commercial cybersecurity and national defense projects. The line between research and espionage has blurred, and the GhostX framework exemplifies how that overlap can be institutionalized.

Recommendations for Organizations and Governments

• Perform source validation: Review all vendor software that originates from Knownsec or its affiliates to verify telemetry endpoints and update channels.
• Network segmentation: Isolate any external scanning or security tools from production networks to prevent telemetry leakage.
• Credential rotation: Reset administrative and service account passwords if there is any history of interaction with Chinese security vendors or tools.
• Threat hunting: Monitor for indicators of the Windows Remote Control implant, especially DNS-based command callbacks.
• Contract review: Reevaluate procurement terms with vendors that have government-linked security programs.

Defensive teams should also collaborate with intelligence partners to obtain updated indicators of compromise (IOCs) associated with the GhostX framework. Because the leaked materials include function names, command syntax, and communication patterns, new detections can be created to flag potential reuse of these techniques in the wild.

Industry and Research Response

Cybersecurity researchers worldwide are currently analyzing the GhostX framework for technical signatures and overlap with known malware families. Several independent groups have already identified code similarities between GhostX modules and previously catalogued Chinese remote access tools. While these connections remain under investigation, they reinforce the assessment that GhostX was a live platform used in operational environments.

The leak also opens opportunities for defensive learning. By studying GhostX’s architecture, defenders can understand how state-linked actors automate reconnaissance, credential harvesting, and lateral movement. This understanding can directly improve detection and incident response methodologies.

For the broader industry, the GhostX framework case underscores the risks of opaque supply chains in cybersecurity software. Vendors must be transparent about telemetry flows, data retention, and government affiliations. Clients should demand independent audits before integrating any large-scale scanning or analysis products into enterprise networks.

The GhostX revelations complement the findings in the earlier Knownsec leak article, providing the technical context behind the data that was previously exposed. Together, these pieces complete the picture of how Knownsec’s internal technologies supported global mapping, surveillance, and exploitation campaigns under the banner of cybersecurity research.

For verified coverage of major data breaches and the latest cybersecurity intelligence, visit Botcrawl for continuous updates on global information security incidents.