Natto Thoughts: Private Industry & Tools

China’s 2025 Top 20 Cybersecurity Companies: Which “Dark Horses” Will Emerge to Prominence in 2026?

Natto Team — Wed, 14 Jan 2026 15:03:15 GMT

As we enter 2026, the geopolitical landscape appears more uncertain than ever. Ongoing conflicts, such as the Russia-Ukraine war, remain unresolved, while competition among major world powers is intensifying. In such a climate, strength and capability are paramount. China’s cybersecurity industry recognizes its special expertise as “the fundamental cornerstone for safeguarding national security.” Among the more than five thousand cybersecurity companies in China, which ones stand out as top providers of quality products and services, significantly contributing to China’s national security? The “2025 Top 20 Chinese Cybersecurity Enterprises (2025年中国网络安全前二十家企业)” list featured in the annual “China Internet Company Comprehensive Capability Index (CICCI) (中国互联网企业综合实力指数)” report published at the end of December 2025 by the Internet Society of China (ISC)—an industry association affiliated with the Chinese Ministry of Industry and Information Technology (MIIT)—offers a fresh perspective on the leading players in China’s cybersecurity industry as we begin our 2026 research focused on this sector.

The Natto Team believes that understanding these Chinese cybersecurity companies is essential for grasping how China develops its cyber capabilities. Since launching Natto Thoughts in 2023, our team has investigated several Chinese cybersecurity companies involved in state-sponsored or state-linked cyber operations. Our findings suggest that China has established a highly effective and state-aligned system, notably integrating the private sector—Chinese cybersecurity companies—in building its cyber capabilities.

In this post, the Natto Team examines the overall development of China’s cybersecurity sector and the top cybersecurity companies of 2025 based on the ISC’s CICCI reports, which analyze these companies’ key performance indicators, innovation and research and development (R&D) capabilities, business and market coverage, and how their core functions align with China’s national priorities.

Subscribe now

Knownsec: The King of Vulnerability Missed Three Vulnerabilities of Its Own

Natto Team — Wed, 03 Dec 2025 17:02:43 GMT

On November 5, 2025, a Chinese-language blog called Mrxn’s Blog published a “massive” leak of information from Knownsec (知道创宇), a Chinese cybersecurity company. Mrxn claimed that the leak included 12,000 confidential documents, such as “China’s state-level cyber weapons, internal tool systems, and global target lists.” The blog provided sample screenshots of the leak and noted that the leaked information first appeared on the code-sharing platform GitHub, which subsequently removed it “for violating its terms of service.” The NETASKARI Substack was among the first outlets to report in English on Mrxn’s blog post about the leak. NETASKARI’s author, a freelance journalist based in Amsterdam, The Netherlands, provided a summary and analysis of the limited available leaked documents—including screenshots of product brochures, data collection lists, and a Knownsec company profile—and concluded there was no “smoking gun” or evidence of state-of-the-art tools used by Chinese state hackers. H…

China’s Cybersecurity Companies Advancing Offensive Cyber Capabilities Through Attack-Defense Labs

Eugenio Benincasa — Wed, 19 Nov 2025 17:03:09 GMT

Western governments are grappling with how private-sector offensive cyber capabilities should fit into state operations. This raises a number of practical questions: If a state tasked a company with carrying out cyber operations against an adversary, who inside those organizations would actually carry out offensive work?1 How would these units be structured for government tasks? And how would offensive activity coexist with a company’s day-to-day R&D and commercial operations?

In China, these questions are far less abstract. Private companies have been core contributors to national cyber capability building for years, supported by both policy and institutional design. They develop many of the tools, techniques, and forms of expertise that underpin defensive security products and can also be leveraged for state-sponsored cyber operations. The clearest organizational expression of this approach is companies’ widespread use of attack-defense labs (攻防实验室), internal units that merge defensiv…

When Privileged Access Falls into the Wrong Hands: Chinese Companies in Microsoft’s MAPP Program

Eugenio Benincasa — Thu, 31 Jul 2025 16:32:47 GMT

On July 25, 2025, Bloomberg reported that Microsoft is investigating whether a leak from its Microsoft Active Protections Program (MAPP) allowed Chinese hackers to exploit a SharePoint vulnerability before a patch was released. Microsoft attributed the campaign – dubbed “ToolShell” after the custom remote access trojan used – to three China-linked threat actors: Linen Typhoon, Violet Typhoon, and Storm-2603. The attackers reportedly compromised over 400 organizations worldwide, including the U.S. National Nuclear Security Administration.

Launched in 2008, MAPP is designed to reduce the time between the discovery of a vulnerability and the deployment of patches. By giving trusted security vendors early access to technical details about upcoming patches, Microsoft enables them to release protections (such as antivirus signatures and intrusion detection rules) in sync with its monthly updates. The program, however, relies on strict compliance with non-disclosure agreements and the secure …

Bluesky Should Outsmart China's Public Opinion Monitoring Tools to Safeguard Public Discourse

Eugenio Benincasa — Wed, 11 Dec 2024 17:02:03 GMT

This post is authored by guest contributor Eugenio Benincasa, a senior researcher at the Center for Security Studies at the Swiss Federal Institute of Technology in Zurich (ETH Zurich).

In a November 26 post on the microblogging social networking service Bluesky, Alex Stamos, the Chief Information Security Officer for the cybersecurity company SentinelOne, highlighted several key points about how People’s Republic of China (PRC) leverages US social media platforms, such as X, for influence operations. Stamos made the following points:

Many underestimate the extent of the PRC's efforts at influencing the U.S. social media landscape;
The erosion of Trust and Safety at X has turned the platform into a “playground for PRC actors”;
Although PRC-affiliated actors complain about users moving from X to Bluesky, that platform too could also prove fertile ground for Chinese influence operations.

China has long used X to drive influence campaigns, leveraging its user base and algorithms to amplify na…

Reconnaissance Scanning Tools Used by Chinese Threat Actors and Those Available in Open Source

Natto Team — Wed, 04 Sep 2024 16:00:57 GMT

At the end of May, the Natto Team looked into threat group APT41’s reconnaissance techniques and toolkit. As we continue our ongoing research on Chinese threat groups, we discovered several other Chinese threat groups using similar reconnaissance techniques and tools to those APT41 used, such as Nmap, a free and open-source network scanner. We also came across reconnaissance techniques and scanning tools that were unique to some of the Chinese threat groups. In addition, like APT41, Chinese threat groups heavily use open-source and locally developed tools, whether well-known security tools or customized malware.

Tools, malware, threat groups and threat campaigns mentioned in this report. Source: Natto Thoughts

APT10, GALLIUM and Stately Taurus Use NBTscan or Modified NBTscan – a Tool That Has Appeared Repeatedly Over Ten Years

At least three Chinese state threat groups, including APT10 (a.k.a menuPass, Stone Panda, POTASSIUM (Purple Typhoon); GALLIUM (a.k.a Granite Typhoon), and Stately …

Who Has the Best Scanning Tools in China?

Natto Team — Wed, 26 Jun 2024 16:00:38 GMT

China has developed a robust cybersecurity industry along with the explosive growth of the country’s information and communications technology (ICT) sector in the past two decades. In 2023, revenue from information security products and services in China reached 223.2 billion RMB (US$31 billion), a year-on-year increase of 12.4%, according to data from the Chinese Ministry of Industry and Information Technology (MIIT). Meanwhile, as of June 2023, China had a total of 3984 information security products and services companies, a year-on-year growth of 22.4%. 26 of 3984 companies, less than 1 percent, were public companies.

The April 2024 edition of the annual China Cybersecurity Industry Panorama gives a glimpse at the top providers of information security products and services.

Security Bull (a.k.a AQNIU.COM)(安全牛), a well-known Chinese information security media and flagship think tank with a targeted clientele on cybersecurity decision makers, was the organizer of this 11^th edition of …

APT41’s Reconnaissance Techniques and Toolkit: Nmap and What Else?

Natto Team — Wed, 29 May 2024 16:02:55 GMT

In the previous report “i-SOON Toolkit: What is ‘TZ’?”, the Natto Team discovered the importance of network reconnaissance work for the Chinese Public Security bureaus and companies in the information security industry that support the work. Reconnaissance – gathering information on a target – is the first step that cyber threat actors take in an operation, according to the so-called Cyber Kill Chain framework. Reconnaissance provides the threat actor with both non-technical information on the target, such as a target’s organizational details and information on personnel, and technical information, including information about the network, hosts, applications, and users. Over the years, researchers have observed and studied various reconnaissance techniques and tools commonly used in targeted attack cases. In this report, the Natto Team looks into the reconnaissance techniques and toolkit of APT41, a Chinese state-sponsored hacking group, and explores popular network reconnaissance too…

i-SOON: “Significant Superpower” or Just Getting the Job Done?

Natto Team — Thu, 07 Mar 2024 23:49:26 GMT

The previous Natto Thoughts report on the recent leak of documents from the Chinese IT company i-SOON discussed the complex network of China’s information security companies and their precarious relationship with their “clients.” As we understand, all these companies, no matter whether we call them “hackers-for-hire” or “commercial hacking industry,” are ultimately businesses with profit as their bottom line, as the Natto Team told The Wire China. Therefore, it is helpful for us to look into i-SOON as a case study using the 60-year-old “People, Process, Technology” (PPT) Framework to assess its business operation, how it got its business done and whether it was successful or not. A business-focused analysis of the i-SOON case study can shed a new light on China’s state-sponsored cyber operations. (On types of state-associated cyber operations, see the Natto Team posting “Wazawaka & Co., Part 2: Patriotic Hacker”)

Pinduoduo: When Business Success Comes with Hacking

Natto Team — Fri, 26 May 2023 04:28:53 GMT

Note added on August 21, 2024: This is a post the Natto Team published on May 26, 2023. It looks into China’s e-commerce company Pinduoduo (PDD) and its alleged hacking team after the Google Play store suspended PDD because of finding malware in some versions of the app. Our research indicates that PDD’s operating model - a social commerce model of “social network promotion for all people” has made it easy to hack users. The model analyzes users’ habits, interests and preferences to offer personalized push notifications and ads that attract users to use the app more often and place more orders. A white/black hat hacking team could combine these standard e-commerce functions – which are not necessarily illegal – with exploitation of mobile phone vulnerabilities to enable unauthorized access to user data and information. PDD figured out this shortcut early on in its explosive growth. Fortunately for users, the country’s top mobile vulnerability mining expert had the moral decency to ref…