Chinese Companies Linked With Hackers Filed Patents Over 10+ Forensics and Intrusion Tools

Cybersecurity researchers have uncovered more than 10 patents for highly intrusive forensics and data collection technologies filed by Chinese companies directly linked to state-sponsored hacking operations, according to a new report from SentinelLABS released this week.

The patents, registered by firms named in recent U.S. Department of Justice indictments, detail sophisticated offensive capabilities including encrypted endpoint data acquisition, mobile device forensics, and network traffic interception from routers and smart home appliances.

The technologies represent a significant expansion beyond previously documented capabilities of China’s elite Hafnium threat actor group, also known as Silk Typhoon.

The findings stem from July 2025 DOJ indictments of Chinese hackers Xu Zewei and Zhang Yu, who allegedly operated under the direction of China’s Ministry of State Security (MSS) through the Shanghai State Security Bureau.

Xu worked for Shanghai Powerock Network Company while Zhang Yu was employed at Shanghai Firetech Information Science and Technology Company.

SentinelLABS identified patents filed by Shanghai Firetech for technologies with clear offensive applications, including “remote automated evidence collection software,” “Apple computer comprehensive evidence collection software,” and “router intelligent evidence collection software.”

Notably, the company holds at least one patent for software designed to recover files from Apple computers remotely, a capability never before documented in Hafnium’s known toolkit.

“The variety of tools under the control of Shanghai Firetech exceeds those attributed to Hafnium and Silk Typhoon publicly,” said Dakota Cary, China-focused strategic advisor for SentinelLabs.

“These capabilities may have been sold to other regional MSS offices, and thus not attributed to Hafnium, despite being owned by the same corporate structure.”

More concerning are recent patent filings suggesting capabilities suited for human intelligence operations. Patents for “intelligent home appliances analysis platform,” “long-range household computer network intelligentized control software,” and “remote cellphone evidence collection software” could enable sophisticated surveillance of individuals in their homes.

The DOJ indictments reveal a tiered ecosystem of Chinese cyber contractors, with Shanghai Firetech operating at the highest level of trust with intelligence services.

Unlike lower-tier firms that sell access opportunistically, Shanghai Firetech worked on specific tasking from MSS officers, indicating an ongoing, trusted relationship with China’s premier intelligence agency.

The companies’ activities trace back to the notorious 2021 Microsoft Exchange Server attacks that exploited ProxyLogon vulnerabilities, compromising thousands of organizations worldwide. That campaign prompted the first-ever joint U.S.-U.K.-European Union statement condemning China’s cyber activities.

The research highlights critical gaps in current threat intelligence, where campaigns are typically tracked by behavioral patterns rather than the actual organizations behind them.

“Threat actor tracking typically links campaigns and clusters of activity to a named actor,” Cary explained. “Our research demonstrates the strength in identifying not only the individuals behind attacks, but the companies they work for.”

Shanghai Firetech maintains a subsidiary in Chongqing that appears larger than its Shanghai headquarters, suggesting broader operations across China’s regional MSS offices.

The absence of these additional capabilities in public Hafnium attribution may reflect either their use in covert operations or the FBI’s strategic decision to reveal only widely recognized activities in the indictments.

The revelations underscore the sophisticated nature of China’s cyber contracting ecosystem and the challenge facing defenders in accurately attributing state-sponsored attacks to their true operators.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches