Chinese Silk Typhoon Hackers Filed 10+ Patents for Highly Intrusive Hacking Tools

Chinese state-sponsored hackers associated with the notorious Silk Typhoon group have filed over ten patents for sophisticated cyber espionage tools, revealing the unprecedented scope of their offensive capabilities.

These patent applications, registered by companies linked to China’s Ministry of State Security (MSS), expose a systematic approach to developing highly intrusive forensics and data collection technologies that extend far beyond previously documented attack methods.

The revelations emerged from a comprehensive investigation following the July 2025 Department of Justice indictment of two hackers, Xu Zewei and Zhang Yu, who operated under the direction of Shanghai State Security Bureau.

These individuals worked for Shanghai Powerock Network Company and Shanghai Firetech Information Science and Technology Company respectively, firms that have now been directly connected to the Hafnium threat actor group, which Microsoft later rebranded as Silk Typhoon in 2022.

SentinelLABS analysts identified these patent filings as part of a broader investigation into the contracting ecosystem supporting China’s cyber operations.

The research uncovered a sophisticated network of companies that develop offensive capabilities ranging from encrypted endpoint data acquisition to mobile forensics and network device traffic collection.

This discovery represents one of the most comprehensive insights into how Chinese state actors systematically develop and patent their hacking methodologies.

The threat group gained international notoriety in 2021 following their exploitation of Microsoft Exchange Server vulnerabilities, particularly the ProxyLogon attack chain.

This campaign was so destructive that it prompted the first-ever joint condemnation from the United States, United Kingdom, and European Union, fundamentally altering China’s approach to cyber diplomacy and leading to coordinated propaganda campaigns that continue today.

Advanced Forensics Arsenal Exposed

The patent applications reveal a comprehensive suite of forensics tools designed for covert data extraction across multiple platforms and devices.

Shanghai Firetech’s filings include “remote automated evidence collection software,” “Apple computer comprehensive evidence collection software,” and “router intelligent evidence collection software,” indicating capabilities that extend well beyond traditional Windows-based targets.

Particularly concerning are patents for “defensive equipment reverse production software” and “computer scene rapid evidence collection software,” suggesting tools designed to rapidly compromise and extract data from secured environments.

Recent filings demonstrate evolution toward Internet of Things exploitation, with patents covering “intelligent home appliances analysis platform” and “long-range household computer network intelligentized control software.”

The group’s capabilities against Apple systems represent a significant development, as founder Yin Wenji demonstrated FileVault encryption bypass techniques as early as 2015.

Patents for “specially designed computer hard drive decryption software” and “remote cellphone evidence collection software” indicate sophisticated mobile device compromise capabilities that have not been publicly attributed to Silk Typhoon operations, suggesting the group’s true scope remains largely undetected by current threat intelligence efforts.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches