Natto Thoughts: i-SOON Leaks

Indictments and Leaks: Different but Complementary Sources

Natto Team — Wed, 02 Apr 2025 16:02:53 GMT

After the public learned of the leaked documents from the Chinese Information security company i-SOON in February 2024, various media and analysts from the cyber security industry, including the Natto Team, seized the rare opportunity to uncover "the world of China’s hackers for hire". A year later, on March 5, 2025, the US Department of Justice (US DoJ) unsealed an indictment charging eight i-SOON employees and two officers of the Chinese Ministry of Public Security for alleged hacking activities from 2016 to 2023. The i-SOON indictment revealed further details on the company’s operation, particularly, how i-SOON actors coordinated with the Chinese Ministry of Public Security (MPS) and Ministry of State Security (MSS).

Indictments can be valuable resources for cyber threat intelligence (CTI) analysts: they provide insights into the activities, tactics, and infrastructure of threat actors, which can be used to improve threat detection and response capabilities. Indictments also identif…

Where is i-SOON Now?

Natto Team — Wed, 05 Mar 2025 17:17:18 GMT

One hour before we were going to publish this post, US Department of Justice unsealed an indictment charging eight i-SOON employees and highlighting the importance of companies like i-SOON in China's cyberthreat landscape.

Cyber threats from China have never stopped evolving; analysts grapple with who Silver Fox is and why they targeted Chinese-speakers, or who was using Shadowpad malware deploying ransomware and what their motivations were. To understand these new developments, we need to keep in mind the dynamics and constraints that Chinese cyberthreat actors face. For this, the i-SOON leaks remain crucial.

After over a year, the Natto Team continues to discover that the i-SOON leaks – product marketing white papers, compromised data samples, chat logs among employees and clients, screenshots and images of business operations from the Chinese information security company i-SOON – are a gift that keeps on giving. For example, the recent Natto Thoughts’ post from Eugenio Beninicasa dug…

The Pangu Team—iOS Jailbreak and Vulnerability Research Giant: A Member of i-SOON’s Exploit-Sharing Network

Eugenio Benincasa — Wed, 19 Feb 2025 17:01:08 GMT

This week marks the one-year anniversary of the i-SOON leaks1—files, chat logs, and images exposing the company's eight-year espionage effort targeting at least 20 foreign governments for China’s government agencies. Since then, threat intelligence reports, U.S. indictments and sanctions have uncovered additional contractors linked to Chinese state-sponsored operations, such as Integrity Tech (北京永信至诚科技有限公司) and Sichuan Silence (四川无声信息技术), covered by the Natto Team in reports 1, 2, and 3. All these firms appeared in the i-SOON leaks at some point, revealing a tightly connected network of business partners, competitors, clients, and exploit brokers.

Other actors, such as the Pangu Team (盘古团队) (Pangu), were also mentioned in the leaks. Known as one of China’s top white-hat hacker groups specializing in mobile system and application security, Pangu has gained global recognition since 2014 for its groundbreaking iOS jailbreaks2—downloaded tens of millions of times—and its performance in hacki…

i-SOON Toolkit: What is “TZ”?

Natto Team — Wed, 24 Apr 2024 16:01:07 GMT

The Natto Team and many other cyber threat intelligence (CTI) analysts have seized the rare opportunity presented by the leak of Chinese hacker-for-hire company i-SOON’s internal messages. The leaked materials allow us to cross-examine past research findings ; explore threat actors’ tactics, techniques and procedures (TTPs); and probe the motivations and intents of Chinese threat actors. The Natto Team has found one aspect of i-SOON leaked documents that has not been discussed much. This is “TZ”, two letters in the Latin alphabet, likely an acronym. It appears more than 80 times across the over 570 leaked documents, including chat logs, product marketing white papers, compromised data samples, screenshots and images. What does TZ stand for? Interestingly, no explanation can be found through the documents. Even i-SOON’s product marketing whitepaper, Integrated Combat Platform (一体化作战平台), mentioned TZ 17 times, but it did not explain what TZ stood for or meant. It sounds as if TZ was a c…

i-SOON Leak: Unanswered Questions and What Now?

Natto Team — Wed, 27 Mar 2024 18:00:31 GMT

It has been over a month after the massive leak of i-SOON, a Chinese information security company, revealed the operations of China’s hacker-for-hire industry. We have seen many insightful reports about the i-SOON leak, analyzing i-SOON’s commercial offering; diving deeply into i-SOON’s company culture, “fueled by influence, alcohol and sex”; and utilizing analysis of competing hypothesis (ACH) to assess who was responsible for the i-SOON leak. However, there are still many unanswered questions related to the leak and what it all means in terms of understanding Chinese threat groups, conducting threat analysis and preventing or mitigating future attacks. While the Natto Team has received many inquiries from the media and discussed the leak with experts from the industry, we would like to present these unanswered questions and our think-out-loud Natto Thoughts for the community to explore further.

Photo by Tim Mossholder on Unsplash

Operations Security

Why do i-SOON and similar companies …

i-SOON Operations: A View from Kazakhstan

Natto Team — Wed, 13 Mar 2024 16:01:20 GMT

The massive February 16 2024 leak of materials from Chinese information security company i-SOON showed the company had compromised and stolen data from entities worldwide. The materials included charts with personal data on subscribers of several telecommunications companies in the Central Asian country of Kazakhstan. This oil- and mineral-rich country, formerly part of the Soviet Union and flanked by Russia and China, has pursued a multivector foreign policy, nurturing good relations with a variety of countries. Current president Kassym-Jomart Tokayev, a former diplomat, reportedly speaks fluent Chinese, Russian, French and English, in addition to the Kazakh language (https://online.zakon[.]kz/Document/?doc_id=30100479). His family has discreet business ties to Russia. Kazakhstan is a key transit country for Chinese exports to Europe. The Kazakh ethnic group, culturally Turkic, extends on both sides of the border with China and shares the Muslim religion and cultural similarities wit…

i-SOON: Kicking off the Year of the Dragon with Good Luck … or Not

Natto Team — Wed, 28 Feb 2024 17:25:10 GMT

On February 18, the first working day after a week-long Lunar New Year holiday, i-SOON, a Chinese information security company on which the Natto team reported last October, posted on its WeChat public account a red banner with the greeting 开工大吉 (kai gong da ji), meaning “Good luck with your work throughout the new year.” However, this first business day in the year of the Dragon was not so blessed for i-SOON. A massive leak – including i-SOON’s product marketing white papers, compromised data samples, chat logs among employees and clients, screenshots and images related to the company’s business operations from at least 2020 to 2022 – was posted on GitHub. As of this writing, GitHub has taken down the leaked documents. The Associated Press confirmed the leak’s authenticity with two employees of i-SOON.

Source: i-SOON WeChat public account

As various media reports illustrated, the leak “open(s) the lid on China’s commercial hacking industry” and provides “unprecedented insight into t…

i-SOON: Another Company in the APT41 Network

Natto Team — Fri, 27 Oct 2023 02:00:18 GMT

A recent court case in Chengdu, Sichuan Province, China has caught Natto Team’s attention because it involves a company that US officials have alleged to be linked with Chinese offensive hacking. This court case is an intellectual property dispute in which the company known as Chengdu 404 – which allegedly stands behind Chinese state hacking operation known as APT41 – sued a company known as Sichuan i-SOON. The case, which pitted Chengdu Silingsi (404) Network Technology Company (成都市肆零肆网络科技有限公司) as the plaintiff against Sichuan i-SOON Information Technology Company(四川安洵信息技术有限公司) as the defendant, centered on a software development contract dispute. As of this writing, there is no publicly available information about the case, except that it was scheduled to go to trial on October 17, 2023. The existence of this case suggests that Chengdu 404 and Sichuan i-SOON had a business relationship. A look at Sichuan i-SOON adds to our understanding of the ecosystem of IT companies in which Che…