Incident Overview

A threat actor going by Blastoize has posted a partial download of corporate documents from Knownsec, a major Chinese cybersecurity firm with well-documented ties to the Chinese government and military. This is not a new breach but rather a redistribution of data from the original Knownsec leak that first surfaced in November 2025, which has been widely regarded as one of the most significant exposures of state-sponsored cyber capabilities in recent years.

The actor references reporting from both Gopher Security and Resecurity that provide extensive analysis of the leaked material. The original breach exposed over 12,000 classified documents and revealed the inner workings of a firm that operates at the intersection of China's commercial cybersecurity sector and its state intelligence apparatus. Key revelations from the original leak include:

• Offensive Cyber Tools: Remote Access Trojans (RATs) engineered for Linux, Windows, macOS, iOS, and Android, plus Android-specific malware designed to extract message histories from Chinese chat applications and Telegram.
• Hardware Attack Vectors: Physical devices including a malicious power bank engineered to covertly upload data from victims' devices while appearing to function as a standard charger.
• Global Target Lists: Spreadsheets documenting over 80 overseas targets across more than 20 countries, including government agencies, telecommunications providers, and critical infrastructure operators.
• Stolen Data at Scale: Evidence of massive exfiltration operations including 95GB of Indian immigration records, 3TB of South Korean call records from LG U Plus, and 459GB of Taiwanese road planning data.
• Government Collaboration: Documents showing direct collaboration with Chinese government agencies including Chinese Police No.3 Research Department on data collection and network entity research projects.
• Internal Surveillance: Tools used not only externally against foreign targets but also internally to track Chinese companies and individuals for intelligence, control, and counterintelligence purposes.

The Chinese government has officially denied and downplayed the incident. When questioned, the Chinese Foreign Ministry stated they were unaware of any breach at Knownsec and reiterated that China "firmly opposes and combats all forms of cyberattacks." Resecurity's analysis suggests the source of the original leak was likely an insider (rogue employee) rather than an external hack, drawing parallels to the i-Soon leak that exposed similar state-linked cyber operations in 2024. The fact that this data continues to resurface and circulate months later underscores its significance to the threat intelligence community.