{
	"id": "23f03a6f-9fd7-424d-876a-40797514b731",
	"created_at": "2026-04-06T00:09:19.961207Z",
	"updated_at": "2026-04-10T03:21:10.602033Z",
	"deleted_at": null,
	"sha1_hash": "3aa43a19e43ad6eb351de78cc66c27ac2cfdbb53",
	"title": "Unmasking I-Soon | The Leak That Revealed China's Cyber Operations",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 257168,
	"plain_text": "Unmasking I-Soon | The Leak That Revealed China's Cyber\r\nOperations\r\nBy Dakota Cary \u0026 Aleksandar Milenkoski\r\nPublished: 2024-02-21 · Archived: 2026-04-05 18:22:15 UTC\r\nExecutive Summary\r\nI-Soon (上海安洵), a company that contracts for many PRC agencies–including the Ministry of Public\r\nSecurity, Ministry of State Security, and People’s Liberation Army–was subject to a data leak over the\r\nweekend of Feb 16th. It is not known who pilfered the information nor their motives, but this leak provides\r\na first-of-its-kind look at the internal operations of a state-affiliated hacking contractor. The authenticity of\r\nthe documents is still undecided. While the leak’s contents do confirm public threat intelligence, efforts to\r\ncorroborate further the documents are on-going.\r\nThe leak provides some of the most concrete details seen publicly to date, revealing the maturing nature of\r\nChina’s cyber espionage ecosystem. It shows explicitly how government targeting requirements drive a\r\ncompetitive marketplace of independent contractor hackers-for-hire.\r\nI-Soon–whose employees complain about low pay and gamble over mahjong in the office–appears to be\r\nresponsible for the compromise of at least 14 governments, pro-democracy organizations in Hong Kong,\r\nuniversities, and NATO. The leaked documents align with previous threat intel on several named threat\r\ngroups.\r\nVictim data and targeting lists, as well as names of the clients who requested them, show a company who\r\ncompetes for low-value hacking contracts from many government agencies. The finding indicates that\r\nhistorical targeting information from Advanced Persistent Threats thought to be PRC contractors does not\r\nprovide strong guidance on future targets.\r\nMachine translation enabled the rapid consumption of leaked data. These tools broadened the initial\r\nanalysis of the information beyond seasoned China experts with specialized language skills and technical\r\nknowledge. This has enabled many more analysts to scan the leaked information and quickly extract and\r\nsocialize findings. As researchers dig into the voluminous information, domain expertise will be required to\r\nunderstand the complex relationships and implicit patterns between the relevant organizations, companies,\r\nand individuals. One upshot is that geographically-specialized analysis will continue to provide distinct\r\nvalue, but the barrier to entry is much lower.\r\nInitial Observations\r\n1. At 10:19 pm on January 15th, someone, somewhere, registered the email address I-SOON@proton.me.\r\nOne month later, on February 16th, an account registered by that email began uploading content to GitHub.\r\nAmong the files uploaded were dozens of marketing documents, images and screenshots, and thousands of\r\nhttps://www.sentinelone.com/labs/unmasking-i-soon-the-leak-that-revealed-chinas-cyber-operations/\r\nPage 1 of 4\n\nWeChat messages between employees and clients of I-SOON. An analyst based in Taiwan found the\r\ndocument trove on GitHub and shared their findings on social media.\r\n2. Many of the files are versions of marketing materials intended to advertise  the company and its services to\r\npotential customers. In a bid to get work in Xinjiang–where China subjects millions of Ugyhurs to what the\r\nUN Human Rights Council has called genocide–the company bragged about past counterterrorism work.\r\nThe company listed other terrorism-related targets the company had hacked previously as evidence\r\nof their ability to perform these tasks, including targeting counterterrorism centers in Pakistan and\r\nAfghanistan. \r\n3. Elsewhere, technical documents demonstrated to potential buyers how the company’s products function to\r\ncompromise and exploit targets. Listed in the documentation were pictures of custom hardware snooping\r\ndevices, including a tool meant to look like a powerbank that actually passed data from the victim’s\r\nnetwork back to the hackers. Other documentation diagrammed some of the inner workings of I-SOON’s\r\noffensive toolkit. While none were surprising or outlandish capabilities, they confirmed that the company’s\r\nmain source of revenue is hacking for hire and offensive capabilities.\r\n4. The leaked documents provide indicators–such as command-and-control infrastructure, malware, and\r\nvictimology–which relate to suspected Chinese cyberespionage activities previously observed by the threat\r\nintelligence community. Initial observations point to activities spanning a variety of targeted industry\r\nsectors and organizations as well as APT groups and intrusion sets, which the threat intelligence\r\ncommunity tracks, or has been tracking, as distinct clusters. The extent and strength of the relationships\r\nbetween indicators present in the leaked data and past intrusions are still subject to detailed evaluation.\r\nhttps://www.sentinelone.com/labs/unmasking-i-soon-the-leak-that-revealed-chinas-cyber-operations/\r\nPage 2 of 4\n\n5. The selection of documents and chats leaked on GitHub seem meant to embarrass the company, but they\r\nalso raise key questions for the cybersecurity community. One document lists out targeted organizations\r\nand the fees the company earned by hacking them. Collecting data from Vietnam’s Ministry of\r\nEconomy paid out $55,000, other ministries were worth less. Another leaked messaging exchange\r\nshows an employee hacking into a university not on the targeting list, only for their supervisor to brush it\r\noff as an accident. Employees complained about low pay and hoped to get jobs at other companies, such as\r\nQi An Xin.\r\nConclusion\r\nThe leaked documents offer the threat intelligence community a unique opportunity to reevaluate past attribution\r\nefforts and gain a deeper understanding of the complex Chinese threat landscape. This evaluation is essential for\r\nkeeping up with a complex threat landscape and improving defense strategies.\r\nExtensive sharing of malware and infrastructure management processes between groups makes high-confidence\r\nclustering difficult. As demonstrated by the leaked documents, third-party contractors play a significant role in\r\nfacilitating and executing many of China’s offensive operations in the cyber domain.\r\nFor defenders and business leaders, the lesson is plain and uncomfortable. Your organization’s threat model\r\nlikely includes underpaid technical experts making a fraction of the value they may pilfer from your\r\norganization. This should be a wakeup call and a call to action.\r\nDakota Cary\r\nDakota Cary is a China-focused consultant at SentinelOne and a nonresident fellow at the Atlantic Council’s\r\nGlobal China Hub. Dakota previously was a research analyst at Georgetown University’s Center for Security and\r\nEmerging Technology on the CyberAI Project. He focuses on China’s efforts to develop its hacking capabilities.\r\nHis reports examine artificial intelligence and cybersecurity research at Chinese universities, the People’s\r\nLiberation Army’s efforts to automate software vulnerability discovery, China's vulnerability collection system,\r\nand policies to improve the country’s cybersecurity-talent pipeline. He has been featured and quoted on his\r\nexpertise in a variety of outlets, including The Economist, MIT Technology Review, Associated Press, Financial\r\nTimes, and Wired. Cary has also testified before the US-China Economic and Security Review Commission.\r\nhttps://www.sentinelone.com/labs/unmasking-i-soon-the-leak-that-revealed-chinas-cyber-operations/\r\nPage 3 of 4\n\nAleksandar Milenkoski\r\nAleksandar Milenkoski is a Principal Threat Researcher at SentinelLABS. With expertise in malware research and\r\nfocus on targeted attacks, he brings a blend of practical and deep insights to the forefront of cyber threat\r\nintelligence. Aleksandar has a PhD in system security and is the author of numerous reports on cyberespionage\r\nand high-impact cybercriminal operations, conference talks, and peer-reviewed research papers. From 2011 to\r\n2014, he was a European Commission Marie Skłodowska-Curie Research Fellow. His research has won awards\r\nfrom SPEC, the Bavarian Foundation for Science, and the University of Würzburg.\r\nSource: https://www.sentinelone.com/labs/unmasking-i-soon-the-leak-that-revealed-chinas-cyber-operations/\r\nhttps://www.sentinelone.com/labs/unmasking-i-soon-the-leak-that-revealed-chinas-cyber-operations/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.sentinelone.com/labs/unmasking-i-soon-the-leak-that-revealed-chinas-cyber-operations/"
	],
	"report_names": [
		"unmasking-i-soon-the-leak-that-revealed-chinas-cyber-operations"
	],
	"threat_actors": [],
	"ts_created_at": 1775434159,
	"ts_updated_at": 1775791270,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3aa43a19e43ad6eb351de78cc66c27ac2cfdbb53.pdf",
		"text": "https://archive.orkl.eu/3aa43a19e43ad6eb351de78cc66c27ac2cfdbb53.txt",
		"img": "https://archive.orkl.eu/3aa43a19e43ad6eb351de78cc66c27ac2cfdbb53.jpg"
	}
}