KnownSec Data Leak Exposes State-Aligned Cyber Espionage Pipeline

A massive data leak from KnownSec, a prominent Beijing-based cybersecurity firm, has exposed the inner workings of a sophisticated, state-aligned cyber espionage apparatus. The leaked documents, including internal manuals, project sheets, and target databases, reveal how the company operates as a key contractor for China’s Ministry of Public Security (MPS) and other state entities, blurring the line between commercial security services and offensive intelligence operations.

According to a new report from DomainTools, KnownSec’s operations are not merely defensive but constitute a “vertically integrated espionage stack” designed for global reconnaissance, targeted intrusion, and long-term surveillance.

The leak highlights KnownSec’s “ZoomEye” platform—publicly marketed as a cyberspace search engine similar to Shodan—as a critical intelligence sensor. Unlike standard scanners, ZoomEye integrates with a classified “TargetDB” (Key Target Library), transforming raw internet data into actionable intelligence.

“ZoomEye’s detection capabilities are unusually granular. Its internal documentation highlights a library of 40,000+ component fingerprints… allowing it to identify not just common servers but also specialized firewalls, industrial controllers, VPN concentrators, and software versions critical for exploitation targeting.”

This integration allows state clients to prioritize targets based on strategic value. The leaked “TargetDB” contains over 24,000 organizations and 378 million IP addresses, mapping critical infrastructure across 26 regions, including Taiwan, Japan, South Korea, and India.

“The database does not simply list assets; it assigns them meaning, aligning infrastructure with strategic objectives and intelligence requirements.”

For active intrusion, KnownSec employs GhostX, an offensive framework described as a “multi-vector exploitation and persistence framework.” It is engineered to profile users, steal credentials, and manipulate network traffic.

“It begins with browser fingerprinting… to create a durable identity signature that follows a user across VPNs, proxies, and devices.”

Once inside a network, GhostX can deploy modules for “routing manipulation” and “DNS hijacking,” allowing attackers to redirect traffic and maintain long-term access.

Complementing this is Un-Mail, a specialized platform for webmail takeover. The report notes its ability to perform “IMAP/POP mailbox replication,” silently syncing a victim’s entire inbox to an attacker-controlled server.

“The platform’s most powerful capability is its ability to perform IMAP/POP mailbox replication, silently downloading the entire mailbox… into a local datastore under operator control.”

Perhaps the most distinct tool revealed is Passive Radar (无源雷达), designed to map internal networks without generating the noise of active scanning. By ingesting packet capture (PCAP) data from compromised hosts or network taps, it reconstructs the target’s digital terrain.

“Unlike active scanners that generate detectable traffic, Passive Radar relies exclusively on the ingestion and analysis of packet capture (PCAP) data.”

This tool allows operators to “identify IP addressing schemes, port usage, protocol signatures… and traffic flows,” effectively charting the internal structure of a victim’s network to facilitate lateral movement.

The analysis underscores that KnownSec’s internal structure mirrors that of a defense contractor, with distinct divisions for offensive research (404 Lab) and militarized product development. The leak also revealed the company’s “data lake,” a massive repository of breached credentials and identity data used for “identity-correlation” and social engineering.

“In this light, Knownsec emerges not as a private security firm in the Western sense, but as a core node in China’s contractor-driven cyber state.”

Related Posts:

• Patchwork Group Expands Cyber Espionage with Advanced Tools
• DarkHotel APT Group’s Evolving Attack Techniques
• The Sleeper in Your Browser: How DarkSpectre Turned 8.8 Million Extensions into State-Aligned Spies
• Chrome Testing Vertical Tabs: New UI Feature Spotted in Canary Build