A new report has uncovered over a dozen patents linked to firms supporting China’s cyber-espionage operations, revealing capabilities previously unreported in public threat intelligence.
These technologies, registered by companies identified in recent US indictments, are tied to the advanced persistent threat group known as Hafnium, also tracked as Silk Typhoon by Microsoft.
The findings follow the July 2025 indictment of two Chinese nationals, Xu Zewei and Zhang Yu, who were accused of hacking on behalf of the Ministry of State Security (MSS). Xu and Zhang worked for firms not previously associated publicly with Hafnium: Shanghai Powerock and Shanghai Firetech, respectively.
Both companies, according to the Department of Justice, operated under the direction of the Shanghai State Security Bureau (SSSB).
Forensics Patents and Organizational Ties
SentinelLabs’ research identified at least 10 patents linked to Shanghai Firetech that demonstrate offensive cyber capabilities. These include tools to extract encrypted data from Apple devices, intercept traffic from routers and smart appliances and recover files from protected drives.
The investigation also sheds light on how these firms maintain long-term relationships with Chinese intelligence agencies. Zhang Yu, for instance, oversaw coordinated hacking operations and previously co-founded a mobile app company tied to his future business partner at Shanghai Firetech.
The Hafnium Cluster Expands
The July indictment expanded the known Hafnium ecosystem to at least four individuals and three companies.
Earlier in 2025, two others, Yin Kecheng and Zhou Shuai, were sanctioned and indicted in separate cases tied to the same activity cluster. Zhou, also known as Coldface, served as a broker for Yin’s work through the firm iSoon, whose internal documents were leaked online in 2024.
Though Microsoft renamed the group Silk Typhoon in 2022, the DOJ still connects these operations to Hafnium’s most infamous campaign: the 2021 exploitation of Microsoft Exchange Server vulnerabilities. That breach prompted a rare joint statement from the US, UK and EU condemning China’s cyber actions.
Patents Suggest Broader Offensive Reach
Recent filings by Shanghai Firetech describe tools such as:
-
Remote cellphone forensics software
-
Router traffic collection platforms
-
Smart appliance analysis tools
-
Hard drive decryption utilities
-
Network control software for home systems
These filings suggest that the company may support close-access operations beyond those publicly attributed to Hafnium. Notably, some of the patented tools have never been seen in use, leaving open the possibility that they were developed for classified operations or offered to regional MSS offices outside Shanghai.