Flaming China
Flaming China is the name used by actors claiming responsibility for an alleged intrusion involving the National Super Computer Center of China (NSCC) in Tianjin. The available reporting indicates the group identified itself as “Flaming China,” and that its Telegram channel appears to have existed since early February; however, the source explicitly assesses that this may be a temporary alias rather than a permanent or stable threat group. In the reported activity, a dark web actor using the handle “airborneshark1” advertised for sale an alleged 10-petabyte dataset purportedly stolen from the NSCC and later reposted the offer to increase bidding. The source attributes the intrusion to Flaming China. Based on several gigabytes of leaked sample data, the source assesses that at least part of the breach appears genuine, although the full claimed 10 PB volume could not be verified. The reported sample data allegedly included screenshots of internal directory layouts and user credentials, PDFs, reports, handbooks, radar test data, physics simulation renderings, test calculations, and documents dated 2024 and 2025. The content states that the NSCC supports academic, state-owned enterprise, partner, and military-linked simulation workloads, and that the leaked material allegedly reflected simulation of payload and weapon-system effects against targets and materials. Reported examples include a document marked “秘密*10年” described as a 2025 bunker-buster ammunition testing report, with modeled targets including a HIMARS truck, an aircraft carrier, and bunker configurations, as well as radar-related data and a system referred to as “stealth.” If the claimed 10-petabyte exfiltration is accurate, the source assesses that the operation would likely have required prolonged access, exploration of NSCC clusters and storage infrastructure, and lateral movement across the environment, and suggests possible insider assistance. No nation-state attribution is established in the provided content. Known alias in the content: flaming_china.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- Government & Administration
- Academia & Research
- Military
Where they target
Geographies tied to known operations.
- 🇨🇳 China
Tradecraft
7 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Claimed responsibility for the intrusion and data theft from the National Super Computer Center of China (NSCC) in Tianjin, and advertised a purported 10-petabyte dataset for sale on a dark web forum.
Claimed responsibility for the intrusion and large-scale data theft from the National Super Computer Center of China (NSCC) in Tianjin, allegedly exfiltrating up to 10 PB of data and releasing sample data to prove access.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.