A massive trove of internal documents from Chinese private security firm I-Soon, posted to GitHub by an unknown leaker, reveals that the Shanghai-based contractor compromised more than a dozen foreign governments, NATO, universities, Hong Kong democracy organizations, and personal social media accounts on behalf of paying clients. The leak, analyzed this week by SentinelLabs and Malwarebytes, exposes one of the most concrete public views to date of China's commercial cyber espionage ecosystem.

What Happened

Last week an unknown individual uploaded hundreds of internal I-Soon files to GitHub, including chatlogs, sales presentations, target lists, and operational screenshots. SentinelLabs and Malwarebytes independently reviewed the dump and concluded that I-Soon, a private firm that competed for Chinese government contracts, conducted offensive operations against foreign state and civil society targets. I-Soon's website went offline shortly after the leak surfaced. China's foreign ministry told AFP it was "not aware" of the case, while restating opposition to cyberattacks.

What Was Taken

The leaked materials describe successful or attempted intrusions into government offices in India, Thailand, Vietnam, South Korea, the United Kingdom, and other countries, alongside NATO and academic institutions. Researchers found:

Why It Matters

The dump confirms what threat intel teams have long inferred: a substantial share of Chinese state-aligned offensive cyber activity is outsourced to private contractors operating on a hacks-for-contracts model. SentinelLabs called the leak some of the most concrete public evidence yet of "the maturing nature of China's cyber espionage ecosystem." For defenders, the targeting list signals that diplomatic, legislative, intelligence, and policy bodies, especially in South and Southeast Asia, NATO members, and Hong Kong civil society, remain priority objectives. The exposure of specific tooling and tradecraft also gives blue teams an unusual opportunity to hunt for related artifacts in their own environments.

The Attack Technique

The leaked documents do not reveal a single signature exploit, but they describe a contractor operation built around bespoke tradecraft against high value mailboxes and accounts. Capabilities advertised or referenced in the trove include software for accessing Microsoft Outlook email, intrusion sets aimed at compromising social media accounts on X and Facebook, and operations against networks belonging to foreign ministries, prime minister's offices, and intelligence services. Operations appear to be sold per target, with clients specifying exact victim departments, suggesting customized phishing, account takeover, and post-exploitation pipelines rather than mass commodity malware.

What Organizations Should Do

  1. Treat foreign ministries, legislative bodies, intelligence services, NATO suppliers, universities, and Hong Kong-linked NGOs as priority targets and tier their monitoring accordingly.
  2. Hunt for unauthorized access to Microsoft 365 and Outlook mailboxes, including anomalous OAuth grants, mail forwarding rules, and legacy authentication usage.
  3. Enforce phishing-resistant MFA, such as FIDO2 security keys, on all executive, diplomatic, and high-risk personal accounts, including X and Facebook accounts used by activists and officials.
  4. Review SentinelLabs and Malwarebytes publications on the I-Soon leak and incorporate referenced indicators, tooling names, and TTPs into detection rules and threat hunts.
  5. Brief senior leadership and field staff in Asia-Pacific posts on the contractor model and likely social engineering pretexts derived from leaked target lists.
  6. Coordinate with national CERTs and trusted intel sharing partners to obtain non-public IOCs derived from the leak and to flag suspected I-Soon related activity.

Sources: Massive leak shows Chinese firm hacked foreign governments, activists