Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

Un-Mail

Un-Mail is a KnownSec-developed platform described in leaked internal documents as a specialized webmail takeover and email eavesdropping system used for covert access and continuous exfiltration of compromised email accounts. Reported capabilities include IMAP/POP mailbox replication to silently synchronize a victim’s inbox to attacker-controlled infrastructure, as well as theft of email login credentials, emails, contacts, and related account data. One source states it employs XSS to obtain credentials and email content. The content also states it supports both Chinese and foreign email providers, including major global services such as Gmail, Yahoo, and AOL. Un-Mail is associated with the 2025 leak of KnownSec materials and is described in reporting on KnownSec’s alleged offensive cyber-espionage tooling and support to Chinese state entities, including the Ministry of Public Security. High-confidence behavioral details from the content are limited to webmail takeover, credential theft, mailbox replication, and persistent email surveillance/data exfiltration; no specific technical indicators of compromise are provided in the supplied material.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
security online infoNews
Jan 19, 2026
KnownSec Data Leak Exposes State-Aligned Cyber Espionage Pipeline

A specialized webmail takeover platform focused on covert mailbox access and exfiltration. Noted capability is IMAP/POP mailbox replication to silently download/sync a victim’s entire inbox into an operator-controlled datastore/server.

Read more
ctoatncsc substackNews
Jan 10, 2026
CTO at NCSC Summary: week ending January 11th

Offensive tool for covert takeover and continuous exfiltration of email accounts.

Read more
resecurity blogNews
Dec 31, 2025
Knownsec Data Breach: A Trove of Espionage Tradecraft with an Insider Narrative

Un-Mail is an email content eavesdropping platform designed to exfiltrate email credentials, messages, contacts, and related data from compromised accounts. It supports multiple attack vectors including XSS, password attacks, cookie manipulation, and email forwarding. The tool enables persistent, covert monitoring of email accounts across both Chinese and foreign providers, with features for relationship mapping and data analysis.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.