{ "id": "56199c70-49cc-4482-944c-107db99a6c1f", "created_at": "2026-04-06T00:18:45.727115Z", "updated_at": "2026-04-10T13:11:35.164959Z", "deleted_at": null, "sha1_hash": "f2ffe2df6ae6f92d1751401d0df5e14ed6c34340", "title": "State Secrets for Sale: More Leaks from the Chinese Hack-for-Hire Industry", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1353324, "plain_text": "State Secrets for Sale: More Leaks from the Chinese Hack-for-Hire\r\nIndustry\r\nBy SpyCloud Labs Research Team\r\nPublished: 2025-07-01 · Archived: 2026-04-05 20:02:49 UTC\r\nIn late May, two particularly interesting Chinese datasets appeared for sale in posts on DarkForums, an English-language data breach and leak forum that has become popular since BreachForums went dark in mid-April. These\r\ntwo posts, which we’re calling the VenusTech Data Leak and the Salt Typhoon Data Leak, had some interesting\r\nsimilarities. Both posts:\r\nWhile the samples provided on DarkForums were relatively small in comparison to previous data leaks of a\r\nsimilar nature (including Chinese IT contractor leaks, such as TopSec and iSoon), the latest leaks provide critical\r\npivot points for assessing the state and structure of the Chinese cybersecurity contractor ecosystem.\r\nWe wanted to take a moment to analyze these two recent posts, dive into the sample data, and make some\r\nconnections between this activity and some overall trends we are observing in our research into the Chinese\r\ncybercriminal underground.\r\nVenusTech is a major IT security vendor in China with a focus on serving government clients. It was founded in\r\n1996 and is traded on the Shenzhen Stock Exchange. They have previously documented ties to the hack-for-hire\r\nindustry including procuring services from XFocus, who created the original Blaster worm in 2003, as well as\r\nproviding startup funding to Integrity Tech, the company responsible for the offensive hacking activity associated\r\nwith Flax Typhoon. \r\nOn May 17, a post relating to VenusTech was created by an account called “IronTooth” and titled “Chinese tech\r\ncompany venus leaked documents.” The IronTooth account appears to have been newly created and simply uses\r\nthe default profile image for DarkForums. The full post text reads: \r\nselling sourced leaked documents dump of chinese tech company. includes papers, products sold to government,\r\naccesses, clients and more random shit sold to highest bidder after 48h. crossposted.\r\nImage 1: Screenshot of IronTooth’s post to DarkForums offering data from VenusTech for sale.\r\nIronTooth then included 16 images which appear to be screenshots of various nonpublic VenusTech documents,\r\npresentations, spreadsheets, and contracts. \r\nThe documents that piqued our interest the most were the three spreadsheets towards the top of the post, which\r\nappear to contain details on Chinese government contracts and offensive services. The selected portions of the\r\nspreadsheets don’t contain column headers, complicating interpretations of the data, but two of them (Image 2 and\r\nImage 3) appear to contain detailed line items of collections targets and already hacked organizations.\r\nhttps://spycloud.com/blog/state-secrets-for-sale-chinese-hacking/\r\nPage 1 of 7\n\nImage 2: Screenshot showing a spreadsheet of entities that may correspond to either intelligence targets, access, or\r\nexfiltrated data. It appears to list organizations and regions, information about data types, and notes on amounts of\r\nhosts and daily active users. Below the original screenshot is an automated translation generated with Google\r\nTranslate.\r\nImage 3 also contains what look like cadences for data delivery. For example, one of the lines in Image 3 appears\r\nto suggest that VenusTech has access to the Korean National Assembly’s email server and is contracted to deliver\r\nfour updates of data per month from this access to an unnamed customer at the price of 65,000 yuan (equivalent to\r\nabout $9,000 USD).\r\nImage 3: Screenshot showing what appears to correspond to intelligence targets, delivery schedules, and monthly\r\nprices. The first column contains country names, the second contains organization names, the third contains what\r\nappear to be service types, and the fourth appears to contain monthly data delivery quotas and additional\r\nstipulations. The final column appears to contain monthly prices ranging from 30,000 yuan per month to 85,000\r\nyuan per month. Below the original screenshot is an automated translation generated with Google Translate. \r\nImage 4 appears to contain contract information showing various Chinese government entities who are customers\r\nof VenusTech and additional information about their contracts.\r\nhttps://spycloud.com/blog/state-secrets-for-sale-chinese-hacking/\r\nPage 2 of 7\n\nImage 4: Screenshot that appears to show Chinese government clients of VenusTech and additional information\r\nabout their contracts. The column of alphanumeric strings in the center appear to be Unified Social Credit Codes.\r\nBelow the original screenshot is an automated translation generated with Google Translate.\r\nAll together, these samples appear to provide evidence of specific offensive hacking services that VenusTech is\r\nproviding to the Chinese government, as well as specific intelligence targets, including organizations in Hong\r\nKong, India, Taiwan, South Korea, Croatia, and Thailand.\r\nSalt Typhoon is a Chinese state-sponsored advanced persistent threat (APT) actor that is believed to be controlled\r\nby the Ministry of State Security (MSS). They are most notable for a series of intrusions into major US\r\ntelecommunications companies and internet service providers that were discovered in late 2024. Since then,\r\ncybersecurity defenders have continued to discover additional intrusions into global telecommunications systems\r\nand universities attributed to Salt Typhoon, including, most recently, Viasat. \r\nOn May 18, a post relating to Salt Typhoon was created on DarkForums by user ‘ChinaBob’; their profile picture\r\nappears to be the titular character from an early-2000s era Chinese children’s cartoon called the Legend of Nezha.\r\nThe username ChinaBob is reminiscent of the username ChinaDan, which was used by the account that posted the\r\nShanghai National Police (SHGA) database for sale on BreachForums in 2022. The post is titled “Chinese\r\ngovernment hacking group [Salt Typhoon]: Banking Data + Internal Files.”\r\nThe body of the post begins:\r\nselling first-hand data from hacking companies working for the central government. Data includes employee data,\r\nfinancial data of companies and banking data, router configurations of hacked routers with passwords and chats\r\nhttps://spycloud.com/blog/state-secrets-for-sale-chinese-hacking/\r\nPage 3 of 7\n\nof employees and officials being investigated.\r\nData: CSV, XLSX, TXT, PDF\r\nRegion: China\r\nNews Article: t[.]me/xhqcankao/17466\r\nPrice: $$$$$U (contact for price)\r\nThe post goes on to include multiple data samples, both in the original post and in three separate follow-up posts\r\nover the course of the next couple of days.\r\nImage 5: Screenshot of ChinaBob’s original post to DarkForums offering Salt Typhoon data for sale.\r\nThe first sample appears to include names, Chinese national ID numbers, and phone numbers for seven Salt\r\nTyphoon employees (see Image 5). ChinaBob also followed up, apparently in response to people asking for\r\nadditional samples, with data for an additional eight employees (see Image 6).\r\nImage 6: Follow-up comment including additional employee data.\r\nOur team searched for these identifiers in our extensive repository of breached and leaked data, as well as in a few\r\nSGKs (repositories of leaked and stolen PII, created by Chinese-language cybercriminal actors which allow for\r\neasy queryability of PII on Chinese citizens and users). Based on these searches, the data generally does appear to\r\nmatch with other sources of PII on Chinese individuals – additional sources confirm links between the listed\r\nnames, national ID numbers, and phone numbers. \r\nThe next sample advertised by ChinaBob appears to show IP addresses of routers that were allegedly hacked by\r\nSalt Typhoon and associated usernames. The post indicates that the full dataset for sale will contain information\r\non 242 hacked routers, including their passwords. ChinaBob also followed up with a fileshare link to a longer file\r\nincluding the full router configuration for one of the hacked routers (see Image 7). \r\nImage 7: Follow-up comment including a link to a file on a filesharing site containing a full hacked router config.\r\nOf the twelve total IP addresses, six appear to have internet-facing Cisco devices behind them, which Salt\r\nTyphoon has been known to compromise. Three more appear to have some other high-likelihood indicator of\r\ncompromise – either based on unusually high fraud scores or being known as tied to residential proxy services. \r\nWhile these indicators don’t necessarily equate to Salt Typhoon activity, they do indicate that there are unpatched\r\nand exploitable internet-facing devices behind these IPs that were very likely compromised by at least one cyber\r\nthreat actor. Additionally, some of the listed router usernames do line up with some of the listed ISPs (for example,\r\nthe IP address listed in ChinaBob’s sample with username lavaadmin is administered by the Lava International\r\nLimited ISP), making the data appear more credible.\r\nThe next sample shows transactions between various customers and three “seller” companies, which we\r\nhypothesize are associated with the Salt Typhoon threat activity. The spreadsheet (see Image 8) includes\r\ntransactions between these three companies, transactions in which the three companies appear to be selling\r\nhttps://spycloud.com/blog/state-secrets-for-sale-chinese-hacking/\r\nPage 4 of 7\n\nservices to large, established Chinese cybersecurity vendors such as Qi’anxin (QAX) Legendsec and VenusTech,\r\nand transactions in which the three companies appear to be selling services to Chinese government and military\r\nunits. \r\nImage 8: Spreadsheet containing transaction data between the organizations allegedly behind the Salt Typhoon\r\nthreat activity and their “government customers.”\r\nThe first transaction in this sample lists PLA Unit 61419 as the buyer, which has been affiliated with the ‘Tick’\r\nthreat activity group and was discovered in 2021 purchasing foreign antivirus products with the suspected goal of\r\ndeveloping exploits for them. Another familiar listed buyer is the Institute of Information Engineering of the\r\nChinese Academy of Sciences, a publicly owned academic institute which established China’s first cyber range,\r\nowns a small stake in iSoon, and has significant known ties to the Chinese hack-for-hire industry.\r\nThe three listed “seller” organizations in this sample include one which had already been named and sanctioned\r\nby the US Government for threat activity associated with Salt Typhoon – Sichuan Juxinhe Network Technology\r\nCompany – as well as two additional business entities, Beijing Huanyu Tiangiong Information Technology\r\nCompany Limited and Sichuan Zhixin Ruijie Network Technology Company Limited. \r\nThe cybersecurity analysis team Natto Thoughts published a deep-dive into Sichuan Juxinhe Network Technology\r\nCompany earlier this year, concluding that they had characteristics resembling a front company of the MSS.\r\nBased on our initial searches, the two other companies listed as sellers in this spreadsheet also share some of the\r\nkey characteristics of a front company including a limited digital footprint (including no public-facing website)\r\nand having a very small number of listed employees according to business intelligence databases.\r\nAdditionally, we see three of the individuals from ChinaBob’s sample employee lists reflected in public business\r\nregistration records for Sichuan Zhixin Ruijie Network Technology Company Limited: Yu Yang (余洋), Yan Xue\r\n(闫雪), and Chen Zihao (陈梓浩). Based just on these three individuals, we can also find connections to public\r\nbusiness registration records for four additional small companies not otherwise listed in this breach. Each of these\r\nadditional four businesses also appear to have very limited digital footprints and few employees. \r\nUsing information derived from SpyCloud’s data holdings as well as business registration, we compiled basic\r\nbusiness and identity details for each of the three individuals.\r\nChen Zihao (陈梓浩)\r\nMale | 36 years old | Sichuan Province\r\nNational ID Number: 510623198909030310 | DOB: September 3, 1989\r\nPhone Numbers: 18016122200, 15882059538\r\nQQ: 523386132 | Weibo ID: 2608965270\r\nAssociated Business Registration Records: \r\nSichuan Zhixin Ruijie Network Technology Co., Ltd.\r\nSichuan Mubin Information Consulting \u0026 Edit Co., Ltd.\r\nhttps://spycloud.com/blog/state-secrets-for-sale-chinese-hacking/\r\nPage 5 of 7\n\nMubin (Deyang) Business Information \u0026 Edit Consulting Services Co., Ltd.\r\nYan Xue (闫雪)\r\nFemale | 35 years old | Liaoning Province\r\nNational ID number: 210882199001143029 | DOB: January 14, 1990  \r\nPhone Numbers: 13381199872, 17739345534 \r\nWeibo ID: 5746370894 \r\nAssociated Business Registration Records: \r\nSichuan Zhixin Ruijie Network Technology Co., Ltd.\r\nShanghai Meicheng Network Technology Service Center \r\nBeijing Bole Human Resources Co., Ltd.\r\nYu Yang (余洋)\r\nMale | 35 years old | Sichuan Province\r\nNational ID Number: 510623199002076710 | DOB: February 7, 1990\r\nPhone Number: 13661368812 \r\nQQ: 517011513 | Weibo ID: 2759346040 | Email: lanyi__158@163.com \r\nAssociated Business Registration Records: \r\nSichuan Zhixin Ruijie Network Technology Co., Ltd.\r\nChinaBob also made a follow-up post including a technical service contract between Beijing Huanyu Tiangiong\r\nInformation Technology Company Limited and Tongfang Co, a publicly traded state-owned enterprise based in\r\nBeijing. Tongfang Co, (Tsinghua Tongfang Co. Ltd.) is a high-tech information technology company that is\r\nclosely associated with Tsinghua University and supplies military equipment to the PLA. In 2019, the China\r\nNational Nuclear Corporation (CNNC), which oversees both China’s military and civilian nuclear programs,\r\nbecame a controlling stockholder of Tongfang Co.\r\nImage 9: Page one of the final Salt Typhoon sample, of a service contract with a buyer.\r\nThese two recent posts on DarkForums appear to contain nonpublic data sourced from tech companies within\r\nChina’s robust hack-for-hire industry. While the public samples associated with these posts are nowhere near as\r\nlarge as the iSoon or TopSec leaks, they can still shed some additional light on the Chinese offensive cybersecurity\r\ncontractor industry. \r\nThe “Salt Typhoon Data Leak” in particular appears to name two additional business entities as part of the threat\r\nactivity cluster that have not yet been indicted or sanctioned by US authorities: Beijing Huanyu Tiangiong\r\nInformation Technology Company Limited and Sichuan Zhixin Ruijie Network Technology Company Limited, in\r\naddition to the company that had already been named, Sichuan Juxinhe Network Technology Company. \r\nhttps://spycloud.com/blog/state-secrets-for-sale-chinese-hacking/\r\nPage 6 of 7\n\nWhile the origin of these leaks is uncertain, this data appearing for sale on a Western hacking forum fits into a few\r\noverarching trends that we have observed from monitoring Chinese cybercriminal communities: \r\nOur team at SpyCloud Labs keeps close tabs on the Chinese cybercrime ecosystem. Sign up to stay in the loop\r\nwith our latest research.\r\nSource: https://spycloud.com/blog/state-secrets-for-sale-chinese-hacking/\r\nhttps://spycloud.com/blog/state-secrets-for-sale-chinese-hacking/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://spycloud.com/blog/state-secrets-for-sale-chinese-hacking/" ], "report_names": [ "state-secrets-for-sale-chinese-hacking" ], "threat_actors": [ { "id": "09031838-56db-4676-a2b2-4bc50d8b7b0b", "created_at": "2024-01-23T13:22:35.078612Z", "updated_at": "2026-04-10T02:00:03.519282Z", "deleted_at": null, "main_name": "Flax Typhoon", "aliases": [ "Ethereal Panda", "Storm-0919" ], "source_name": "MISPGALAXY:Flax Typhoon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f0eca237-f191-448f-87d1-5d6b3651cbff", "created_at": "2024-02-06T02:00:04.140087Z", "updated_at": "2026-04-10T02:00:03.577326Z", "deleted_at": null, "main_name": "GhostEmperor", "aliases": [ "OPERATOR PANDA", "FamousSparrow", "UNC2286", "Salt Typhoon", "RedMike" ], "source_name": "MISPGALAXY:GhostEmperor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "86c7abc2-1b71-4665-b9e3-1594d6d15a4a", "created_at": "2023-09-07T02:02:47.367254Z", "updated_at": "2026-04-10T02:00:04.698935Z", "deleted_at": null, "main_name": "Flax Typhoon", "aliases": [ "Ethereal Panda", "RedJuliett" ], "source_name": "ETDA:Flax Typhoon", "tools": [ "BadPotato", "CHINACHOPPER", "China Chopper", "JuicyPotato", "LOLBAS", "LOLBins", "Living off the Land", "Metasploit", "Mimikatz", "SinoChopper", "SoftEther VPN" ], "source_id": "ETDA", "reports": null }, { "id": "d390d62a-6e11-46e5-a16f-a88898a8e6ff", "created_at": "2024-12-28T02:01:54.899899Z", "updated_at": "2026-04-10T02:00:04.880446Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Earth Estries", "FamousSparrow", "GhostEmperor", "Operator Panda", "RedMike", "Salt Typhoon", "UNC2286" ], "source_name": "ETDA:Salt Typhoon", "tools": [ "Agentemis", "Backdr-NQ", "Cobalt Strike", "CobaltStrike", "Crowdoor", "Cryptmerlin", "Deed RAT", "Demodex", "FamousSparrow", "FuxosDoor", "GHOSTSPIDER", "HemiGate", "MASOL RAT", "Mimikatz", "NBTscan", "NinjaCopy", "ProcDump", "PsExec", "PsList", "SnappyBee", "SparrowDoor", "TrillClient", "WinRAR", "Zingdoor", "certutil", "certutil.exe", "cobeacon", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "fcff864b-9255-49cf-9d9b-2b9cb2ad7cff", "created_at": "2025-04-23T02:00:55.190165Z", "updated_at": "2026-04-10T02:00:05.361244Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Salt Typhoon" ], "source_name": "MITRE:Salt Typhoon", "tools": [ "JumbledPath" ], "source_id": "MITRE", "reports": null }, { "id": "ea4726a4-3b7c-45db-a579-2abd4986941c", "created_at": "2025-11-01T02:04:53.002048Z", "updated_at": "2026-04-10T02:00:03.764362Z", "deleted_at": null, "main_name": "BRONZE FLAXEN", "aliases": [ "Ethereal Panda ", "Flax Typhoon " ], "source_name": "Secureworks:BRONZE FLAXEN", "tools": [ "Bad Potato", "Juicy Potato", "Metasploit", "Mimikatz", "SoftEther VPN" ], "source_id": "Secureworks", "reports": null }, { "id": "6477a057-a76b-4b60-9135-b21ee075ca40", "created_at": "2025-11-01T02:04:53.060656Z", "updated_at": "2026-04-10T02:00:03.845594Z", "deleted_at": null, "main_name": "BRONZE TIGER", "aliases": [ "Earth Estries ", "Famous Sparrow ", "Ghost Emperor ", "RedMike ", "Salt Typhoon " ], "source_name": "Secureworks:BRONZE TIGER", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434725, "ts_updated_at": 1775826695, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f2ffe2df6ae6f92d1751401d0df5e14ed6c34340.pdf", "text": "https://archive.orkl.eu/f2ffe2df6ae6f92d1751401d0df5e14ed6c34340.txt", "img": "https://archive.orkl.eu/f2ffe2df6ae6f92d1751401d0df5e14ed6c34340.jpg" } }