The manufacturer of these devices is a Chinese company named Meari Technology (觅睿科技) (Meari). Meari is an Original Design Manufacturer (ODM) or white-label manufacturer, meaning the company designs and builds products, which are then sold and rebranded by other companies. In this case, Meari claims that the company’s products have been distributed to more than 100 countries, with over 35 million users, according to its official website.

Sammy Azdoufal has discussed with the Natto Team how he reached out to inform Meari of the vulnerabilities in their products and how he encountered difficulties for over two months, from when he first contacted Meari Technology on March 2 to when the five high-risk Meari vulnerabilities were formally disclosed on May 11 by RunZero, an official CVE Numbering Authority (CAN) and enterprise exposure management and asset discovery platform.

The Natto Team felt Sammy’s deep frustration during this process. Sammy told the Natto Team after he discovered the vulnerabilities at the end of February that he just wanted the company to fix the vulnerabilities as quickly as possible because seeing the faces of strangers’ children floating on the Internet made me “want to throw up.” However, after he emailed Meari on March 2 about his vulnerability discovery, he received no response for nine days, despite Sammy’s effort to contact the company through all possible channels. When Meari’s security team finally did start communicating with Sammy on March 11, Meari initially responded with what Sammy characterized as “veiled threats.” Eventually the company did address the primary flaw and issue a bug bounty award for his help, but this took six weeks of frustration, which Sammy has documented on his Github page.

This reminded us of the Natto Team’s previous report that detailed the story of Australian security researcher Sick Codes and his discovery in 2020 of vulnerabilities in Android TVs made by TCL, a Chinese multinational electronics company and the world’s second-largest TV manufacturer. The Natto Team’s previous research suggested that The TCL case in 2020 had taught the Chinese government and companies a lesson in how to respond to vulnerability reports by independent foreign researchers.1 However, six years later, Meari appears not to have learned the lesson that TCL did in 2020.

Indeed, the Meari case exposes a deeper problem. Meari’s Infrastructure-level vulnerabilities, not device-level flaws, enabled the exposure of over a million IoT (Internet of Things) devices. The case suggested that Meari fails to embrace the secure-by-design approach, in which security is proactively embedded into a system from the ground up. In fact, according to Sammy’s security audit analysis, which he shared with the Natto Team, Meari Technology: “possesses by-design, architectural access to every camera deployed worldwide. This is not a single misconfiguration or an isolated bug. The platform’s core architecture -- from MQTT [Message Queuing Telemetry Transport] broker topology to credential provisioning, from alert image storage to peer to peer (P2P) relay infrastructure -- is built such that the vendor (Meari) and anyone who compromises the vendor can monitor, control, and extract footage from any customer’s camera at any time, without the customer’s knowledge or consent.” Sammy documented 12 independent pieces of evidence in his security audit and discovered “each individually proves some degree of vendor-side access. Taken together, Meari establishes that no meaningful security boundary exists between Meari’s backend infrastructure and the end-user’s camera feed.”

It appears that Meari’s by-design, architectural access to every camera deployed worldwide may have its own reasons. The Natto Team noticed that the same week in March 2026, when Sammy was anxiously waiting for a response from Meari, the company went public on March 9. Chinese market commentators praised Meari’s successful IPO as a market recognition of Meari as a smart IoT firm “with core technologies and global market capabilities.” Meari’s share price doubled in the second trading day, reflecting investor enthusiasm for the company’s future growth. The contrast between a company with unsecure products distributed globally and a company celebrating its success domestically makes us wonder who Meari Technology really is.

In this piece, the Natto Team takes a deep dive into Meari Technology to understand how a domestically acclaimed tech company maneuvers the global market, how Meari’s response to vulnerability reporting reflects the ecosystem of vulnerability management in China, and how companies like Meari compete to develop artificial intelligence (AI) technologies.

Read more

Who is China’s Palantir?

The answer isn’t a single company, but an emerging ecosystem

—- An anonymous Chinese AI industry expert

In early April 2026, five weeks into the US and Israel’s war on Iran, a Washington Post report detailed a burgeoning market of private Chinese firms using artificial intelligence (AI) with open-source data to track U.S. military movements. These firms analyze intelligence on carrier groups and aircraft locations during the conflict. The report specifically highlighted two five-year-old companies : MizarVision (觅熵科技) and Jing’an Technology (靖安科技). Both are based in Hangzhou, a city widely considered the “center of China’s AI universe.” The Natto Team discovered that these companies, and a dozen others, have vied for the honor of being considered “China’s Palantir,” amid market hype over the role of AI in the military-industrial sector.

U.S.-based software company Palantir Technologies builds data integration and analytics platforms used by governments and commercial organizations around the world. Its products have reportedly played significant roles in recent conflicts, including the Israeli Defense Ministry’s use of AI-driven battlefield analytics in Gaza in 2024 and U.S. operations in Iran in 2026, which enabled the targeting of Iranian Supreme Leader Ali Khamenei. In April 2026, Palantir sparked global controversy by publishing a 22-point “manifesto” on X (formerly Twitter) that some commentators viewed as expressing a highly militaristic worldview with dangerous aspirations regarding AI, surveillance, and autonomous weapons.

In a November 2025 interview with The Axios Show, a digital media outlet based in the U.S., when asked “what should we worry about AI?,” Palantir CEO Alex Karp stated that the biggest risk of AI is the possibility of China winning the race for dominance. It appears Mr. Karp’s concerns seem valid; Palantir serves as a beacon for numerous Chinese companies striving for global influence. Many believe that China’s own Palantir(s) are those high growth companies that the Chinese government wants and needs to win global dominance.

In this post, the Natto Team analyzes two studies about Palantir from Chinese perspectives—one written in 2017 by an academic scholar and the other in 2026 by an industry AI expert—to reveal reasons behind China’s obsession with Palantir and barriers to the emergence of Chinese Palantir wannabes. It also sheds light on the evolution of the Chinese military-industrial sector and identifies the companies inspired by Palantir.

Although China’s Palantir-like companies have not fully emerged, they are on the horizon.

(Note: The appendix of this post provides a list of Chinese companies that have been mentioned by various Chinese media or have self-identified as being, or resembling, China’s Palantir. For more information about these companies, please contact nattoteam@nattothoughts.com.)

Subscribe now

Read more

“Whoever masters automated vulnerability discovery technology holds the upper hand in cyber offense and defense” – Zhou Hongyi, Chairman and CEO, 360 Digital Security Group (2018)

On April 7, 2026, artificial intelligence developer Anthropic introduced its new general-purpose model Claude Mythos Preview to a restricted partnership of over 40 vetted organizations, including major technology and cybersecurity firms, as part of its defensive security initiative Project Glasswing. The company stated that the Claude Mythos model has identified thousands of high-severity vulnerabilities across widely used software, including major operating systems and web browsers. Crucially, in some cases it can autonomously develop exploits and chain vulnerabilities without human intervention. Anthropic has not released the system publicly, citing the risks associated with such capabilities and the need for further safeguards before deployment at scale.

While independent assessment remains limited and technical details are sparse, governments are already responding: U.S. officials have reportedly briefed financial institutions on AI-enabled cyber risks, while German authorities have warned of significant disruption and the capacity of such systems to transform vulnerability discovery.

Recent developments suggest that similar capabilities are being explored in China. In February 2026, Natto Thoughts described how a team from 360 Digital Security Group (奇虎360, hereafter “360”), which won first place at the 2026 Tianfu Cup, a major Chinese exploit hacking contest,1 had relied extensively on AI-assisted discovery and exploitation, with its team lead stating that AI has evolved “from an auxiliary tool to the core engine of vulnerability discovery.” The team that placed third made similar claims. This raises a central question: have Chinese companies already developed systems with capabilities comparable to those claimed for Claude Mythos, and how might differences in institutional context shape their impact?

This analysis focuses on 360 as a primary case study, given its position as a leading cybersecurity company in China, its strong track record in top-tier vulnerability research, and the relative visibility of its recent AI-related disclosures.2 Recent disclosures describe internally developed multi-agent systems capable of identifying vulnerabilities, supporting exploit development, and automating parts of the research workflow that were previously manual, with claimed discovery at a scale approaching Anthropic’s description of Claude Mythos. Other firms appear to be pursuing similar approaches, though with more limited public information. The analysis then considers how such capabilities could translate into an asymmetric offensive advantage in China’s favor.

Subscribe now

Read more

Read more

Since the start of his second term in January 2025, the Trump administration has conducted military actions or strikes in seven countries. The ouster of Venezuelan president Nicolas Maduro in January 2026 and the ongoing US-Israeli joint military operation against Iran makes it feel as if the threshold for war has been lowered. Leaders across the globe are likely drawing their own conclusions. Bill Bishop, a China expert at Sinocism, remarked, “Maduro and now Ayatollah Ali Khamenei in two months. Would love to know what Xi really thinks about this,” referring to Chinese President Xi Jinping. Indeed, what does Xi think about these developments? In particular, how do they shape Xi’s views on Taiwan “reunification”? Have US military actions in seven countries influenced Xi’s perspective on using military force to achieve China’s goal of “reunification”—which he considers a “historical inevitability”?

A potential conflict between China and Taiwan would represent a globally significant inflection point. Drawing from the Center for Strategic and International Studies (CSIS) 2023 report The First Battle of the Next War: Wargaming a Chinese Invasion of Taiwan, this piece aims to conduct a reality check on a likely scenario of China-Taiwan conflict presented in the CSIS report, and examines the challenges and possible cyber implications of such a scenario and how organizations across sectors could be exposed, whether directly or indirectly.

Based on war games involving a simulated invasion, the CSIS study provides insights under clearly defined assumptions, including participating actors and their roles, mobilization timelines, ammunition availability and the type of operations conducted. While no single study can predict outcomes, its transparent methodology and multi-scenario approach provide a useful analytical foundation.

Subscribe now

Read more

The episode reflects growing awareness in parts of the European Union (EU) about the strategic implications of university partnerships with Chinese institutions embedded in the country’s defense research system. However, it remains an isolated institutional reversal, with similar collaborations persisting in a number of countries. In December 2025, Beihang itself claimed to have “elevated European cooperation to new heights.”

Over the past decade, university cooperation between some EU member states and China has expanded rapidly across several fields. Many of these exchanges generate legitimate academic and economic benefits. However, some partner institutions are not simply civilian universities.1 They are formally authorized to conduct classified weapons equipment research and are structurally embedded in China’s military and defense industrial system, raising concerns about dual-use knowledge transfer – research with both civilian and military applications – access to EU funding streams, and long-term institutional exposure and influence aligned with defense research agendas.2

Cyber-related disciplines are particularly sensitive. Fields such as software engineering, telecommunications, computer science, and information security cultivate inherently dual-use skills. These capabilities support civilian digital infrastructure and defensive cybersecurity, but also enable cyber espionage – including intellectual property theft – offensive cyber operations, and applications such as secure military communications and strategic command systems. Such capabilities can be deployed remotely in both peacetime and conflict.

Within this landscape, France stands out. Among EU member states, it has the highest concentration of cyber partnerships involving Chinese institutions that hold state secrecy clearance or maintain formal ties to China’s defense establishment. This piece maps EU–China cyber-related joint degree partnerships, identifies institutional risk factors including security clearance status and defense affiliation, and examines the French case in depth. Beihang University’s School of Cyber Science and Technology serves as a central case study, including analysis of its state and defense industry ties and a review of research activities and affiliations of nearly 80 faculty members.

The Appendix identifies EU–China cyber-related partnerships and their disciplinary focus, highlights relevant risk factors, and explains the methodology used to assess institutional affiliations and involvement in classified research.

Subscribe now

Read more

In this post, the Natto Team explores an example of a Chinese government and military-affiliated entity—the National Research Center for Information Technology Security (NITSC) (国家信息技术安全研究中心). We examine its organizational structure, affiliations, and capabilities, then reveal its military connections. Lastly, we present questions for further research.

Subscribe now

Read more

After skipping three editions in 2022, 2024, and 2025, the competition has now reappeared, although the reasons for this hiatus and revival remain unclear. The event was first announced on China’s MPS website on January 16. On January 19, the Tianfu Cup’s account on the social media platform X appears to have briefly posted about the competition before deleting the post shortly thereafter. The following day, the event’s website (hxxps://tianfucup[.]cn) became inaccessible from outside China. By February 2, following the conclusion of the contest, the site appeared to have been taken offline entirely and remains inaccessible as of this writing. The Natto Team was nonetheless able to access the website for this piece, which includes screenshots of relevant information, as well as MPS and private company press releases that remain accessible.

Building on earlier analyses of past Tianfu Cup events by the Natto Team and the From Vegas to Chengdu report from the Center for Security Studies at ETH Zurich, this piece examines what has changed with the Tianfu Cup’s return and why it matters. It analyzes the shift from a commercially led competition to one organized almost entirely by the MPS, specifically the Sichuan Provincial Public Security Bureau. It then looks at the structure of the 2026 edition and its two tracks, including evidence of AI-assisted techniques being used in vulnerability discovery and exploitation. Finally, it explores what remains the most consequential and unresolved question: where vulnerabilities discovered at the Tianfu Cup are likely to end up, and what this suggests about China’s evolving approach to vulnerability retention and state control.

A complete list of competition targets, as disclosed on the 2026 Tianfu Cup website, is reproduced in the appendix at the end of this piece.

Read more

Disclosures from a 2024 leak, together with a March 2025 U.S. indictment involving Anxun (i-SOON) Information Technology Co., Ltd (安洵信息技术有限公司), which has been linked to Chinese state-sponsored cyber campaigns, indicate that a single commercial actor can be tasked by, actively seek contract opportunities from, or perform work for, a large number of provincial MSS and Ministry of Public Security (MPS) bureaus. This case provides rare visibility into how a single firm can support multiple, distinct provincial mandates and supply the operational capacity through which intrusions are carried out at near-national scale.

Building on this, this piece examines how companies allegedly linked to APT activity – concentrated in a small number of provinces – enable cross-provincial operational scaling, even as provincial bureaus remain the primary source of tasking and authority. It begins by briefly distinguishing legitimate businesses from front companies, then traces how earlier cyber operations were likely predominantly organized around provincially bounded, bureau-executed models centered on front companies.2 Next, it shows how market maturity enabled greater collaboration between government agencies and legitimate firms, and concludes by examining why these firms are concentrated in a handful of provinces.

Read more

The Natto Team believes that understanding these Chinese cybersecurity companies is essential for grasping how China develops its cyber capabilities. Since launching Natto Thoughts in 2023, our team has investigated several Chinese cybersecurity companies involved in state-sponsored or state-linked cyber operations. Our findings suggest that China has established a highly effective and state-aligned system, notably integrating the private sector—Chinese cybersecurity companies—in building its cyber capabilities.

In this post, the Natto Team examines the overall development of China’s cybersecurity sector and the top cybersecurity companies of 2025 based on the ISC’s CICCI reports, which analyze these companies’ key performance indicators, innovation and research and development (R&D) capabilities, business and market coverage, and how their core functions align with China’s national priorities.

Subscribe now

Read more

Natto Thoughts had a great year in 2025, experiencing strong growth in both readership and collaboration. The Natto Team would like to thank our readers for making our in-depth explorations of China’s evolving cyber ecosystem our most-viewed reports of the year. Your support drives our research. We also want to thank and for their research collaboration efforts. Three of the top five reports resulted from this partnership.

Collectively, these five reports provide a comprehensive overview of how China has formally institutionalized its cyber capabilities, resulting in a highly effective and state-aligned system—particularly highlighting the integrated role of the private sector.

Here are the highlights from the top 5 reports:

• “Defense-Through-Offense Mindset: From a Taiwanese Hacker to the Engine of China’s Cybersecurity Industry“: This report demonstrated how the guiding philosophy, “To defend, one must first know how to attack” (以攻为防), originated in 1990…

Read more

To defend systems, one must first pinpoint the source of malicious activity. Most cyber threat intelligence (CTI) firms focus on tactical and operational attribution: tactical attribution identifies and clusters technical details such as malware used, attack methods, or indicators of compromise, while operational attribution uses characteristics of activity clusters to infer group profiles and assigns labels like “APT” or “UNC.”1 Strategic attribution goes further by identifying the real-world individuals or entities behind an intrusion.

Some CTI experts debate the conditions under which strategic attribution is appropriate, while others highlight the technical challenges of identifying threat actors, the political motivations behind public disclosure, and the legal standards required to assign responsibility. The Natto Team and other researchers believe that – compared to “cluster-based” tactical and operational attribution – the strategic identification of real-world individuals and o…

Read more

Read more

In China, these questions are far less abstract. Private companies have been core contributors to national cyber capability building for years, supported by both policy and institutional design. They develop many of the tools, techniques, and forms of expertise that underpin defensive security products and can also be leveraged for state-sponsored cyber operations. The clearest organizational expression of this approach is companies’ widespread use of attack-defense labs (攻防实验室), internal units that merge defensiv…

Read more

During his first state visit to South Korea after 11 years, Xi presented two Chinese-made Xiaomi brand smartphones—the world’s third-largest smartphone brand—to South Korean President Lee Jae Myung. When Lee asked delightedly about the quality of communication and the security of the phone, Xi smiled and said, “You can check if there is a backdoor.”

President Xi is undoubtedly fully aware that the United States and its allies have warned that Chinese technology may contain backdoors—what the …

Read more

Additionally, when law enforceme…

Read more

As this ecosystem has evolved, the Chinese state moved to harness the vulnerability research for national priorities through both formal and informal channels. From the top down, it imposed institutional mechanisms such as direct oversight of researchers and regulations that mandate or incentivize reporting to state-run entities. From the bottom up, informal networks among prominent researchers, who exchange insights and acquisition o…

Read more

Note added May 27, 2026

On May 2, 2026, The Cyber Defense Review published an article, “China’s Cyber Explosives Are in Place. Where’s Our Response?,” written by Rob Joyce, former Acting Homeland Security Adviser on the U.S. National Security Council and retired NSA cybersecurity director. In the article, Joyce argues that China’s cyber campaigns—such as Volt Typhoon and Salt Typhoon—“are not routine espionage, but deliberate preparations for conflict. These operations reflect a coordinated effort to pre-position access across vital systems, enabling the potential disruption of military logistics and civilian infrastructure in the early stages of a crisis.” Joyce’s argument—that Salt Typhoon’s activities were intended to pre-position for conflict—is new to the Natto Team.

As the Natto Team’s previous analysis indicated, Volt Typhoon was known for cyber campaigns focused on developing capabilities and preparing and pre-positioning for possible disruptive and destructive attacks. By contr…

Read more

On August 27, 2025, the United States and 22 government agencies from 13 countries issued a Cybersecurity Advisory entitled, “Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System.” The advisory outlined the tactics, techniques, and procedures (TTPs) employed by advanced persistent threat (APT) actors whose activity partially overlaps with activity grouped under names such as Salt Typhoon, OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor.

The document identified three Chinese companies—Sichuan Juxinhe Network Technology Co. Ltd. (四川聚信和网络科技有限公司), Beijing Huanyu Tianqiong Information Technology Co., Ltd. (北京寰宇天穹信息技术有限公司), and Sichuan Zhixin Ruijie Network Technology Co., Ltd. (四川智信锐捷网络科技有限公司)—that have supported these APT activities globally since at least 2021. These organizations reportedly supplied cyber-related products and services to China’s intelligence entities, including units within the People’s Liberat…

Read more

In our last piece, we showed how truly elite offensive cyber talent has always been scarce, even within China’s massive hacker communities of the 2000s. But how did this small circle of talent actually develop offensive capabilities? In China, these fall under the broader category of “live-fire” capabilities (实战能力),1 i.e. the ability to apply tools and techniques such as penetration testing, security operations, and incident response. As we discussed here, here, and here, hacking contests, bug bounty platforms, and cyber ranges have become core pillars of China’s modern live-fire talent pipeline. Today, these mechanisms are deeply institutionalized across universities, companies, and state-backed initiatives, serving as the backbone for identifying and training skilled operators.

Read more