One of China's largest cybersecurity firms has been compromised in what security experts are calling one of the most consequential state-backed hacking exposures in history. Over 12,000 classified documents from Knownsec—a government-linked contractor backed by tech giant Tencent—have been leaked, revealing the scope and sophistication of Beijing's cyber espionage operations worldwide.
The breach, which occurred on November 2, 2025, initially surfaced on GitHub before being removed for terms-of-service violations. The stolen trove includes weaponized malware source code, command-and-control frameworks (systems that allow remote control of compromised devices), and detailed target lists spanning more than 20 countries, including Japan, Vietnam, India, Indonesia, the UK, and Nigeria.
Advanced Cyber Weapons Exposed
The leaked files detail Remote Access Trojans (RATs) designed to compromise every major operating system—from Windows and macOS to iOS and Android. Particularly alarming is sophisticated Android surveillance code capable of extracting complete message histories from popular chat app,s including Telegram and Chinese messaging platforms.
Perhaps most striking is documentation of a malicious power bank—a compromised portable charger engineered to covertly siphon data from any connected device, representing an advanced hardware-based supply-chain attack.
Massive Data Theft Documented
Internal spreadsheets reveal extensive data exfiltration operations: 95GB of Indian immigration records, 3TB of call records from South Korean telecom operator LG U Plus, and 459GB of Taiwanese road planning data. The documents list over 80 successfully compromised foreign organizations.
"The Knownsec breach doesn't just reveal tooling, it reveals doctrine," said Richard Blech, CEO of XSOC CORP. "This represents a fundamental shift in cyber doctrine toward observation and inference, where massive datasets feed AI models optimized to predict behavior from encrypted telemetry and metadata."
The Chinese Foreign Ministry stated it was "unfamiliar" with the incident while reaffirming opposition to cyberattacks, though it notably avoided denying government involvement in such operations.
Immediate Actions Required
Security experts urge organizations in affected countries to conduct immediate threat hunts for Knownsec's known malware families, audit all network activity for unauthorized access, and rotate credentials. The leak is currently being auctioned on dark web forums, raising concerns about the proliferation of these state-grade tools to criminal groups and rival nations.