Chinese Silk Typhoon Hackers File Over 10 Patents for Advanced Intrusive Hacking Tools

A SentinelLABS investigation has revealed that businesses linked to the Chinese advanced persistent threat (APT) group Hafnium, also known as Silk Typhoon, have submitted more than ten patents for highly intrusive forensics and data exfiltration methods.

These patents, registered by firms named in recent U.S. Department of Justice (DOJ) indictments, detail offensive capabilities, including encrypted endpoint data acquisition, mobile device forensics, and network traffic interception from routers and appliances.

The findings stem from July 2025 indictments of hackers Xu Zewei and Zhang Yu, who allegedly operated under the direction of China’s Ministry of State Security (MSS) through entities like Shanghai Powerock Network Company and Shanghai Firetech Information Science and Technology Company.

This ecosystem highlights a tiered contracting model where private firms provide tailored cyber-espionage support to state actors, complicating attribution efforts in the threat intelligence domain.

The indicted individuals and their companies are linked to Hafnium’s notorious campaigns, including the 2021 exploitation of zero-day vulnerabilities in Microsoft Exchange Server (MES) via ProxyLogon chains, which enabled widespread remote code execution (RCE) and webshell deployments.

SentinelLABS analysis uncovers previously unreported tools, such as patented software for remote file recovery from Apple FileVault-encrypted systems, which extends beyond Hafnium’s publicly documented tradecraft.

This capability, patented by Shanghai Firetech, aligns with potential human intelligence (HUMINT) operations, allowing surreptitious data collection from macOS endpoints without physical access.

The research also identifies patents for router-based intelligent evidence collection and defensive equipment reverse-engineering software, suggesting advanced network intrusion techniques that could facilitate lateral movement and persistence in compromised environments.

China’s Cyber Offensive Edge

Delving deeper, Shanghai Firetech’s intellectual property filings reveal a suite of tools with dual-use potential but clear offensive applications.

These include “remote automated evidence collection software” for stealthy data harvesting, “Apple computer comprehensive evidence collection software” targeting encrypted volumes, and “specially designed computer hard drive decryption software” for bypassing full-disk encryption (FDE) mechanisms.

Additional patents cover “remote cellphone evidence collection software” enabling over-the-air mobile forensics, and “network information security actual confrontation practice software” likely simulating red-team exercises for APT operations.

More recent submissions, such as those for intelligent home appliance analysis platforms and long-range household network control software, indicate capabilities for Internet of Things (IoT) exploitation, potentially supporting close-access operations against high-value targets.

The company’s Chongqing subsidiary further expands this footprint, with evidence of larger-scale operations, including internships and additional offices, raising questions about undisclosed contracts with other MSS regional bureaus.

This contrasts with lower-tier contractors like i-Soon, whose leaked internal documents exposed unstable, subcontracted work, versus Firetech’s trusted, task-directed relationship with the Shanghai State Security Bureau (SSSB).

SentinelLABS posits that these patented technologies may underpin unattributed campaigns, as threat actor tracking often clusters behaviors without linking back to corporate entities or state sponsors.

Global Cyber Policy Shifts

According to the report, The Hafnium case underscores deficiencies in current attribution models, where campaigns are named based on tactics, techniques, and procedures (TTPs) rather than organizational structures.

Tools like those for decrypting encrypted data or controlling smart home networks could be deployed defensively, yet the absence of commercial marketing suggests primary use in state-directed espionage.

This research, building on prior indictments of figures like Yin Kecheng and Zhou Shuai, illustrates how MSS leverages private firms for scalable offensive cyber operations, prompting unified international responses as seen in the 2021 joint U.S.-U.K.-E.U. statement condemning PRC cyber activities.

As China refines its propaganda and intelligence coordination, these findings emphasize the need for enhanced tracking of corporate patents and inter-firm relationships to unmask state-backed APTs effectively.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!