In early November 2025, a large-scale data leakage event affected Zhichuangyu (Knownsec), a major network security company affiliated with the Chinese government. According to reports from the Chinese infosec blog MXRN, hackers successfully breached the firm’s systems and allegedly stole more than 12,000 confidential documents. This significant exposure has drawn considerable attention from the international cybersecurity community.
The stolen trove is said to include highly sensitive material, notably information on China’s national-level cyber weapons and internal tool systems, as well as a comprehensive global list of intended targets. The documents also reportedly provided evidence of advanced Remote Access Trojans designed to compromise major operating systems, specifically Linux, Windows, macOS, iOS, and Android. The Android-specific code is allegedly capable of extracting data from popular Chinese messaging applications and Telegram.
Beyond the cyber-weapon details, the leaked data contained extensive intelligence and operational information. This included a spreadsheet listing 80 successful overseas attacks carried out by Knownsec. Furthermore, the haul comprised massive datasets such as 95GB of immigration data stolen from India, a staggering 3TB of call records taken from South Korean telecom operator LG U Plus, and 459GB of road planning data originating from Taiwan.
The exposure of this breach not only highlights security vulnerabilities within Knownsec, a firm specializing in cybersecurity services, but, more critically, it unveils to global security researchers the nature of the Chinese government-backed cyber-weapon ecosystem. It also illuminates the targeted monitoring and attack campaigns allegedly directed against several countries worldwide, with target countries cited as including Japan, Vietnam, and Taiwan.
MXRN further stated that the attackers posted a portion of these highly confidential documents to GitHub. However, the platform reportedly acted quickly to remove the material soon after its public appearance. The incident serves as a major revelation regarding state-affiliated offensive cyber capabilities.
Reference:
