Security researchers have uncovered more than a dozen patents for offensive cybersecurity tools filed by Chinese companies allegedly tied to Beijing's Silk Typhoon espionage crew.

SentinelLabs, the research arm of SentinelOne, rifled through a newly unsealed indictment from the US Department of Justice and [1]identified at least 16 patents linked to China's Ministry of State Security (MSS) that were filed between 2014 and 2020 by two now-infamous front companies: Shanghai Powerock and Shanghai Huayun Firetech.

Both companies were previously linked to the Silk Typhoon crew, also known by the Microsoft moniker "Hafnium," which first made headlines in 2021 after [2]exploiting zero-day flaws in Microsoft Exchange to compromise tens of thousands of systems worldwide. The Chinese government crew is also believed to be behind the [3]December break-in at the US Treasury Department .

[4]

While Silk Typhoon's handiwork has been well documented, these newly surfaced patents shed light on the tools behind the operation: utilities for decrypting hard drives, network traffic sniffers, forensic software, and even spyware tools designed to remotely recover files from Apple devices, which SentinelLabs researcher Dakota Cary notes has "not been documented as a capability used by Hafnium or any related threat actor groups."

[5]

[6]

The filings appear to describe capabilities that go well beyond defensive cybersecurity and are more in line with targeted espionage and surveillance ops.

The revelations come from a July 2025 indictment that names two alleged MSS contractors who prosecutors say were working under the direction of the Shanghai State Security Bureau at the time, Xu Zewei and Zhang Yu, for their role in the 2021 Exchange mega-hack. Xu clocked in at Shanghai Powerock, according to the indictment, while Zhang hailed from Shanghai Firetech.

[7]

Shanghai Powerock, which filed several of the earliest patents, quietly deregistered in 2021, just months after its alleged role in the Microsoft Exchange campaign was exposed. Firetech, meanwhile, appears to have stayed in business longer, operating subsidiaries and continuing to support the development of tools described as "remote evidence collection systems" and "mobile data forensics platforms."

[8]Microsoft used staff in China to help babysit US govt cloud services, report says

[9]Another massive security snafu hits Microsoft, but don't expect it to stick

[10]Ex-NATO hacker: 'In the cyber world, there's no such thing as a ceasefire'

[11]China now America's number one cyber threat – US must get up to speed

The indictment uncovers additional corporate links to Silk Typhoon operatives: Yin Kecheng, who was [12]arrested earlier this year for carrying out "multi-year, for-profit computer intrusion campaigns" dating back to 2013, is believed to have worked at Shanghai Heiying Information Technology Company. Yin also co-founded the Shanghai Siling Commerce Consulting Center with Zhang Yu.

Chinese infosec vendor I‑Soon has been tied to Silk Typhoon through evidence uncovered in [13]leaked internal chat logs and corporate documentation.

As Cary at SentinelLabs points out, the stash of cyber tools tied to Silk Typhoon seems to go well beyond what's been publicly pinned on the Chinese hacking crew, suggesting some of the kit may have been quietly handed off to other MSS outposts. He concludes by saying that while the tooling could, at least in theory, be used for defensive purposes, there's zero evidence to suggest it was ever flogged that way.

Beijing, for its part, continues to wave away accusations of cyber espionage, maintaining that it has nothing to do with the digital break-ins regularly placed at its doorstep. ®

Get our [14]Tech Resources



[1] https://www.sentinelone.com/labs/chinas-covert-capabilities-silk-spun-from-hafnium/

[2] https://www.theregister.com/2021/03/03/hafnium_exchange_server_attack/

[3] https://www.theregister.com/2025/03/05/china_silk_typhoon_update/

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aIuTGNJAbqbT_UXxyh4HQQAAAJY&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aIuTGNJAbqbT_UXxyh4HQQAAAJY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aIuTGNJAbqbT_UXxyh4HQQAAAJY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aIuTGNJAbqbT_UXxyh4HQQAAAJY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[8] https://www.theregister.com/2025/07/28/microsoft_china_staffers_us_govt_cloud/

[9] https://www.theregister.com/2025/07/21/massive_security_snafu_microsoft/

[10] https://www.theregister.com/2025/06/28/exnato_hacker_ceasefire_iran/

[11] https://www.theregister.com/2025/04/29/china_us_cyber_threat/

[12] https://www.theregister.com/2025/03/06/fbi_china_pays_75k_per/

[13] https://www.theregister.com/2024/02/22/i_soon_china_infosec_leak/

[14] https://whitepapers.theregister.com/