On February 16, 2024, an anonymous user posted a large number of internal documents pertaining to a Chinese cybersecurity company named I-Soon on GitHub (repository now taken down). It contains a variety of information, ranging from internal chat logs to technical documentation of tools or services provided by the company to its customers.

This article dives into the contents of the documents, with a strong focus on the technical capabilities reported by I-Soon, through the operations they claim and products they advertise to their customers. We also go over links to existing APT activities which have been discovered based on the information in the documents.

The leaks confirm analyst suspicions about the Chinese cybersecurity apparatus organization, particularly regarding vulnerability management and regional tasking spread across provinces.

Contrary to initial reporting, I-Soon’s social media influence capabilities appear to be overblown and likely couldn’t noticeably impact the public debate.