The Knownsec leak has revealed an unprecedented look inside China’s state-linked cybersecurity and intelligence ecosystem. Newly surfaced documents, internal slides, and code repositories show how Knownsec built tools for nationwide surveillance, global reconnaissance, and data harvesting that extended far beyond its commercial security products. The breach includes data mapping frameworks, leaked software manuals, and captured internal databases used to monitor foreign infrastructure and communications.
This discovery expands upon the original Knownsec data breach and provides deeper insight into how China’s private security contractors support government operations. The leak includes over 12,000 documents, with new evidence connecting Knownsec’s products to data collection on foreign nations and real-world espionage activities.
Background of the Knownsec Leak
Knownsec Information Technology Co., Ltd. is one of China’s largest cybersecurity and network intelligence companies. It operates several well-known platforms, including ZoomEye, a global Internet asset search engine similar to Shodan, and offers network protection, data analytics, and cyber threat intelligence services. Officially, the company positions itself as a “cybersecurity innovator,” but leaked documents paint a broader picture of a company functioning as both defender and digital reconnaissance provider for state agencies.
The new Knownsec leak surfaced on dark web forums shortly after the company’s earlier breach gained attention in October. Researchers examining the files found multiple internal manuals and screenshots detailing the operation of offensive frameworks, remote control systems, and data collection services linked to Knownsec’s enterprise customers, many of which include government and law enforcement agencies in China.
Key Findings from the Leak
The leaked materials include technical documentation and presentations from internal products that reveal Knownsec’s extensive cyber mapping and monitoring capabilities. Among the recovered files are directories showing structured datasets referencing LinkedIn profiles and geographic regions, as well as educational-style documentation on cyber intrusion tools labeled under “GhostX.”
- Data Sources: Directories reference data harvested from LinkedIn and other public repositories, organized by country, such as “linkedin_brazil,” “linkedin_southafrica,” and “linkedin_json.”
- Offensive Tools: Manuals describe email interception systems, password attacks, cookie theft modules, and command execution capabilities that mirror advanced persistent threat (APT) methods.
- Training and Education: Some slides appear to be designed for internal training, showing how to conduct Wi-Fi exploits, MITM (man-in-the-middle) attacks, and XSS-based credential harvesting.
These assets suggest Knownsec was not merely a passive intelligence provider. It actively developed, tested, and distributed frameworks capable of data collection, intrusion, and control of remote systems.
LinkedIn and Data Harvesting Operations
One of the most alarming components of the Knownsec leak is the presence of structured datasets referencing professional social platforms such as LinkedIn. Within the Hive directories are tables and paths referencing datasets like “linkedin_brazil_202305” and “linkedin_southafrica_202305,” implying ongoing or recently maintained data collection pipelines as of 2023.
Such datasets are invaluable to intelligence operations because they contain occupational details, contact information, and professional relationships. This data can be correlated with IP addresses and geolocation information to profile targets across national boundaries. When combined with Knownsec’s ZoomEye and other internal mapping tools, the result is a detailed global index of potential digital and human assets.
Researchers believe these datasets were used to cross-reference corporate or governmental employees with exposed network endpoints to create a targeting list for surveillance or infiltration purposes.
GhostX and the “Un-Mail” Email Attack System
One of the centerpiece discoveries in the Knownsec documents is the GhostX framework, a suite of modular attack systems that includes “Un-Mail,” an email interception and exploitation platform. The leaked slides describe Un-Mail as using XSS techniques to obtain login credentials, communication logs, and other mailbox data. It supports multiple collection methods including IMAP, POP3, and Webmail, with real-time keyword filtering and message forwarding.
The presentation indicates that Un-Mail can perform stealth collection without altering mailbox states, providing continuous access over 24-hour intervals. This capability aligns with offensive intelligence operations designed to silently monitor email communications between targeted entities. Another slide shows that the system supports dozens of email providers including Gmail, AOL, Yahoo, and regional Chinese platforms like 163.com and QQ Mail.
Wi-Fi Intrusion and Network Exploitation Tools
The leak also exposes a range of network exploitation diagrams detailing how Knownsec tools could map and infiltrate Wi-Fi networks. A flowchart titled “Wi-Fi Attack Path” outlines both access point and client-side attacks, including MITM interception, credential harvesting, ARP spoofing, and exploitation of known vulnerabilities such as KRACK.
Additional documents show example packet capture (pcap) usage scenarios and offline data extraction tasks, implying Knownsec maintained tools for analyzing intercepted traffic and managing batch data collection jobs. Combined with the Un-Mail system, these diagrams show a unified ecosystem for digital interception across both wired and wireless environments.
Windows Trojan Remote Control System
Perhaps the most striking portion of the GhostX documentation describes a remote control framework for Windows systems compatible with Windows 2000 and later. This “Windows Trojan” module includes capabilities for process management, keylogging, screen capture, and remote command execution. The documentation explicitly claims that it can bypass major Chinese antivirus programs and firewall systems, including 360 and Kaspersky-based protections.
The document also describes built-in features such as DNS and UDP-based callback channels, suggesting the Trojan was engineered for persistent control of compromised endpoints. While it is not confirmed that these systems were deployed against live targets, their existence inside a commercial cybersecurity vendor’s environment raises critical questions about dual-use technology development.
ZoomEye and the “Global Cyber Mapping” Framework
ZoomEye, Knownsec’s commercial network search engine, has long been known for its global scanning capabilities. However, the leaked presentations reveal that its internal configuration extends far beyond what is publicly visible. The slides boast the ability to scan the entire IPv4 address space in 7 to 10 days and identify over 40,000 component types.
The integration of ZoomEye data with Knownsec’s “key target database” provides the missing link between reconnaissance and exploitation. Internal documents describe how operators could use IP intelligence to identify critical infrastructure assets by country, industry, or organization. By cross-referencing these assets with social datasets like LinkedIn, Knownsec’s clients could prioritize targets that align with strategic objectives, effectively creating a cyber reconnaissance map of global infrastructure.
Analysis of Knownsec’s Role in State-Level Operations
The Knownsec leak confirms that the company’s products were deeply integrated into national cyber defense and intelligence ecosystems. Many of the leaked training materials reference law enforcement or military applications, including network situational awareness systems and security command platforms. The presence of “关基目标库说明文档” (Key Infrastructure Target Database Manual) is particularly revealing. It describes methods for identifying and categorizing assets belonging to critical national infrastructure sectors across multiple countries.
Through this system, analysts could quickly identify exposed devices, vulnerable servers, and public endpoints associated with defense, telecommunications, and political organizations. This functionality mirrors the kind of operational targeting seen in state-backed cyber operations.
Knownsec’s close relationship with Chinese state agencies is well documented. It has collaborated with government cybersecurity research institutes and supplied software tools to provincial public security bureaus. The new leak substantiates that these partnerships extended into intelligence-gathering and possibly offensive research domains.
Global Impact and Ethical Implications
The exposure of this data has significant international implications. It demonstrates how commercial cybersecurity firms can operate as intermediaries between government institutions and covert cyber activities. The tools and datasets in the Knownsec leak highlight the blurred line between national defense and active espionage.
From an ethical standpoint, the existence of internal documents describing attack platforms and exploitation frameworks within a publicly listed security company undermines the trust placed in such organizations. It also raises broader concerns about global supply chain security, since companies like Knownsec often provide network scanners, software libraries, and threat detection tools used internationally.
China’s Expanding Cyber Ecosystem
The Knownsec incident is part of a larger trend of Chinese cybersecurity companies acting as both defenders and data collectors. The country’s cybersecurity law mandates that companies cooperate with state intelligence work when required, effectively merging the private and public sectors in cyber operations. The Knownsec leak shows how this collaboration materializes in practice, revealing a detailed ecosystem of digital surveillance tools designed for both monitoring and exploitation.
These revelations also provide new intelligence to foreign governments and research institutions. Security analysts can use the leaked frameworks to identify possible infrastructure used in Chinese cyber operations and build signatures to detect future activity based on Knownsec-derived technologies.
Mitigation and Response
Organizations worldwide should treat this event as a reminder of the risks associated with foreign cybersecurity supply chains. Systems using Knownsec or ZoomEye APIs should undergo immediate review. Security teams are advised to implement the following actions:
- Review any Knownsec-based integrations, APIs, or scanning tools for potential data exposure.
- Block or monitor inbound traffic from Knownsec IP ranges if abnormal scanning or telemetry is detected.
- Conduct internal audits for LinkedIn-style data scraping or unauthorized OSINT collection that could be leveraged by third parties.
- Update endpoint protection to detect possible rebranded versions of the GhostX or Un-Mail toolkits.
- Use advanced malware detection solutions such as Malwarebytes to scan for suspicious processes and persistence mechanisms associated with Knownsec-derived malware.
The Knownsec leak reveals a striking reality: cybersecurity companies can simultaneously act as defenders and aggressors within the digital landscape. Knownsec’s internal documents show that its technologies were capable of mapping, exploiting, and surveilling global networks under the guise of research and security development. This blurring of ethical boundaries represents a turning point in how the world views state-aligned technology firms.
As more documents continue to surface, the Knownsec case will remain one of the most consequential exposures in modern cyber intelligence history. It not only illuminates China’s approach to global cyber operations but also exposes the deep connections between government priorities and private technology enterprises.
For verified coverage of major data breaches and the latest cybersecurity threats, visit Botcrawl for ongoing analysis and updates.
