Chinese companies tied to Hafnium hacker group file patents for advanced spyware tools

Companies linked to China's hacker group Hafnium have filed over a dozen patents for surveillance and hacking tools, offering a rare paper trail into the country’s cyber espionage machine.

Silk Typhoon, otherwise known as Hafnium, might just remind the world of what they’re capable of. Over the years, this espionage-focused Chinese hacker group has not left a cyber stone unturned by targeting remote management tools and cloud applications, the US National Guard, Canadian Telecom, and many others.

This time, the group is being linked to companies that have filed for over a dozen technology patents, raising the question of its intent.

The SentinelOne report, first revealed to Hacker News, was sparked by the US Department of Justice’s (DOJ) 2025 indictment of two Chinese individuals, Xu Zewei and Zhang Yu. They have been charged with committing cybercrimes, specifically, stealing COVID-19 research from US universities, and exploiting Microsoft Exchange Server vulnerabilities in a Hafnium campaign designed to compromise thousands of systems worldwide, including in the US.

The DOJ and cybersecurity researchers found that:

• These companies hold patents for cyber tools, including software to hack Apple devices, gather router data, and control smart home systems.
• The tools haven’t been publicly linked to Hafnium before, raising concerns that their real capabilities go far beyond what had been previously thought.
• The hackers weren’t working alone. They were part of a wider ecosystem of contractors and firms. Some have histories in legitimate tech ventures which provide services to the Chinese government.

"This new insight into the Hafnium-affiliated firms' capabilities highlights an important deficiency in the threat actor attribution space: threat actor tracking typically links campaigns and clusters of activity to a named actor," said Dakota Cary, a China-focused advisor at SentinelLabs.

The investigation also revealed that the business which are now linked to Hafnium were not operating on the dark web. Instead, they were registered businesses, some with visible leadership and employees who openly moved between roles at cybersecurity companies and Chinese tech manufacturers.

For example, Xu Zewei moved on from Powerock to Chaitin Tech and later to Shanghai GTA Semiconductor. This is interesting, as Powerock was no longer heard of after the Microsoft hack was publicly blamed on China.

Zhang Yu is the CEO of Shanghai Firetech, a company that is now known to be one of the companies that have filed patents for Apple forensics and encrypted data extraction.

Another hacker linked to Hafnium, Yin Kecheng, worked at Shanghai Heiying, a firm reportedly founded by Zhou Shuai – a patriotic hacker and data broker known in China’s underground cyber circles.

SentinelOne researchers believe that some of the patented tools enable a closer-to-the-victim form of surveillance where actors infiltrate or gain access to personal devices and networks directly.

This means China's offensive cyber capabilities may extend not just to remote digital espionage, but also to on-the-ground spying.

“The variety of tools under the control of Shanghai Firetech exceeds those attributed to Hafnium and Silk Typhoon publicly,” Cary added.

“The capabilities may have been sold to other regional MSS offices, and thus not attributed to Hafnium, despite being owned by the same corporate structure.”

In its summary, the report raises the question on how global cybersecurity communities attribute attacks and emphasizes that naming a hacker group, in this case Hafnium, isn’t enough, as these names are only the tip of the iceberg. Entire networks of companies, state security contracts, and a pipeline of tools that power modern cyber espionage often lie unnoticed underneath.

However, the good news is that some of those tools now have paper trails – the patents.