KELA REPORT
Alleged Knownsec Data Leak
Unmasking the convergence of commercial innovation and state-sponsored cyber espionage in China.
In late October 2025, a significant data leak allegedly exposed the internal operations of Knownsec, one of China’s leading cybersecurity firms. This research report analyzes the 12,000+ file dataset to reveal a company operating under a “civil-military fusion” model. Publicly, Knownsec acts as a commercial innovator. However, it secretly serves as a contractor for Chinese state agencies like the Ministry of Public Security.
The investigation uncovers evidence of industrial-scale reconnaissance and offensive capabilities, including the “GhostX” espionage framework and a weaponized version of the ZoomEye search engine. The leaked data suggests Knownsec has been actively mapping critical infrastructure targets. These targets span energy, finance, and military sectors across 26 regions globally. As a result, this activity provides the Chinese state with detailed situational awareness for potential future operations.
In KELA’s new report, you’ll learn:
- State-Private Nexus: Documents reveal organizational links between Knownsec and the Ministry of Public Security. This illustrates the blurred lines between private vendors and state intelligence .
- Global Target Mapping: Analysis of a “Key Infrastructure Target Database” shows the tracking of over 24,000 organizations and 379 million IPs. These targets span nations like the US, Japan, and the UK .
- Weaponized Reconnaissance: The internal version of ZoomEye is used not just for search, but also to identify and prioritize vulnerable assets for exploitation campaigns .
- Offensive Toolset: KELA details proprietary tools like “Un-Mail” for email interception and “GhostX” for identity theft. These tools were developed well beyond the scope of defensive security.
Download the Report
Inside the Infostealer Epidemic – Webinar
Join Lin Levi, Threat Intelligence Analyst at KELA, as she analyzes the rise of infostealers and their critical role in driving credential-based attacks, including ransomware, business email compromise (BEC), and identity fraud.
KELA Ransomware Protection Suite
KELA delivers a comprehensive, intelligence-driven defense, designed to neutralize ransomware threats before they can impact your business.
Inside the Black Basta Leak: How Ransomware Operators Gain Access
In this report – understand how attackers operate and how you can strengthen your defenses.