Chinese Cybersecurity Firm Data Breach: Knownsec Leak Exposes Global Target Lists

CRITICAL CYBERSECURITY ALERT

Date: November 2025 • Source: MRXN Threat Intelligence

Incident: Data breach at Knownsec reveals offensive cyber toolkits and worldwide surveillance targets.

Why it matters: Provides rare insight into alleged state-aligned hacking campaigns and long-term infiltration of telecom, immigration, and infrastructure systems.

A newly leaked archive from Knownsec, a major Chinese cybersecurity firm with government contracts, exposed thousands of files detailing offensive tooling, hardware surveillance designs, and global target lists. MRXN investigators verified the documents after attackers briefly published them on GitHub before takedown.

The cache holds more than 12,000 internal files—source code, operational spreadsheets, and communication transcripts—now circulating among researchers and prompting urgent reviews in countries named throughout the leak.

KEY TAKEAWAYS AT A GLANCE

What MRXN Confirmed

• Digital signatures and metadata tie the files directly to Knownsec’s secure collaboration environment.
• Documents describe joint projects with Chinese government departments focused on offensive cyber operations.
• Target sheets list 80+ foreign organizations across telecom, immigration, transportation, and research sectors.
• Harvested datasets include 95 GB of Indian immigration records, 3 TB of LG U+ telecom metadata (South Korea), and 459 GB of Taiwan road-planning data.
• Hardware designs feature a Trojanized power bank that silently siphons smartphone data while charging.

WHAT WAS LEAKED?

The archive contains modular remote-access trojans, command-and-control frameworks, credential harvesters, and Android implants engineered to intercept chat and VoIP traffic. Components span Windows, Linux, macOS, iOS, and Android, highlighting multi-platform reach.

Blueprints detail espionage hardware, including a consumer-style power bank that uploads data from connected devices and circuits for covert microphone activation. MRXN verified device schematics and firmware fragments.

GLOBAL TARGET MAP & ALLEGED OPERATIONS

Leak spreadsheets map dozens of foreign targets, logging network descriptions, infiltration status, and data volumes already exfiltrated. Countries include Japan, Vietnam, Indonesia, India, Nigeria, and the United Kingdom.

Representative Data Points

• India: 95 GB of immigration and border-management records.
• South Korea: 3 TB of call detail records from LG U+.
• Taiwan: 459 GB of transportation planning datasets.

MRXN concludes the data volumes indicate sustained, years-long access to critical infrastructure and personal data, enabling espionage or future offensive operations.

OFFICIAL RESPONSE & INTERNATIONAL REACTIONS

China’s Ministry of Foreign Affairs claimed “unfamiliarity” with the incident while restating opposition to cyberattacks, leaving the Knownsec allegations unanswered. National CERTs in the named countries are reviewing MRXN’s indicators of compromise and coordinating with local agencies to assess exposure.

Government investigations now focus on verifying whether active intrusions persist, neutralizing exposed access points, and weighing potential legal or diplomatic responses.

IMMEDIATE ACTIONS FOR POTENTIALLY AFFECTED ORGANIZATIONS

• Run multi-year forensic reviews of VPN, privileged, and remote-access logs.
• Rotate passwords, SSH keys, and API tokens tied to exposed networks.
• Deploy behavioral analytics and EDR to detect persistence and lateral movement.
• Assess personal-data exposure and fulfill notification obligations.
• Request updated indicators of compromise from national CERTs or trusted intelligence partners.

LONG-TERM DEFENSE STRATEGY

• Adopt zero-trust controls to limit blast radius from compromised credentials.
• Segment critical data stores and enforce least-privilege access.
• Strengthen endpoint security (desktop, server, mobile) via managed EDR.
• Create nation-state breach runbooks and cross-border escalation workflows.
• Join threat-intelligence sharing groups for faster awareness of new TTPs.

WHAT TO WATCH NEXT

Analysts expect the Knownsec leak to drive deeper scrutiny of private Chinese cybersecurity firms’ ties to state-sponsored operations. Organizations named in the documents should stay alert for spear-phishing, supply-chain compromise, or credential abuse based on the exposed intelligence.

CyberUpdates365 will monitor MRXN advisories, takedown efforts, and any official statements from affected governments.

RELATED ARTICLES ON CYBERUPDATES365

• Google Warns of PROMPTFLUX Malware Using Gemini API to Rewrite Its Own Code – GTIG Threat Report
• BREAKING: Former Cybersecurity Professionals Charged for ALPHV BlackCat Ransomware Attacks
• WordPress Arbitrary Installation Vulnerabilities Exploited in Mass Campaign

VERIFIED SOURCES

• MRXN Threat Intelligence — Knownsec Data Leak Analysis

Stay Ahead of Nation-State Threats

Subscribe to CyberUpdates365 for verified threat analysis, breach alerts, and actionable defense guidance every week.

Educational use only. Facts sourced from verified investigative reports. Always comply with regional disclosure laws and responsible reporting practices.