Researchers from SentinelOne have linked the PurpleHaze and ShadowPad activity clusters to China-aligned threat actors with high confidence. Some PurpleHaze intrusions are tentatively associated with groups overlapping the suspected Chinese cyberespionage teams known as APT15 and UNC5174. The latest investigation zeroes in on the specific subset of these threats that have targeted SentinelOne and other entities, and are attributed to China-nexus operations.
“A thorough investigation of SentinelOne’s infrastructure, software, and hardware assets confirmed that the attackers were unsuccessful and SentinelOne was not compromised by any of these activities,” Aleksandar Milenkoski and Tom Hegel wrote in a Monday SentinelLABS post.
They added that the PurpleHaze and ShadowPad activity clusters span multiple partially related intrusions into different targets occurring between last July and March this year. The victimology includes a South Asian government entity, a European media organization, and more than 70 organizations across sectors.
Last October, SentinelLABS identified and thwarted a reconnaissance operation targeting the company, linked to a broader threat activity cluster dubbed PurpleHaze. In early 2025, the team also disrupted an intrusion tied to a larger ShadowPad campaign, which affected a third-party organization managing hardware logistics for SentinelOne staff.
The latest findings build on previous SentinelLABS research into threats facing cybersecurity vendors, ranging from financially motivated malware to targeted campaigns by nation-state actors. The report specifically highlights attacks attributed to China-nexus threat groups that have targeted SentinelOne and similar organizations.
“As for the reconnaissance activity, we promptly identified and mapped the threat actor’s infrastructure involved in this operation as soon as it began,” the researchers wrote. “A thorough investigation of SentinelOne servers probed by the attackers revealed no signs of compromise. We assess with high confidence that the threat actor’s activities were limited to mapping and evaluating the availability of select Internet-facing servers, likely in preparation for potential future actions.”
They added that continuous monitoring of network traffic to the servers, which is part of an established and continuing practice for protecting SentinelOne assets exposed to the Internet, enabled rapid detection and increased scrutiny of the reconnaissance activities, mitigating any potential risks.
Researchers said that last June, SentinelLABS observed ShadowPad malware activity linked to a threat actor targeting a South Asian government agency responsible for IT infrastructure and services across several sectors. The ShadowPad sample retrieved was obfuscated using a variant of ScatterBrain, an evolution of the ScatterBee obfuscation mechanism.
“Based on ShadowPad implementation characteristics, we identified additional samples that revealed broader activity taking place between July 2024 and March 2025, spanning a wide range of victims globally. Using C2 netflow and SentinelOne telemetry data, SentinelLABS uncovered over 70 victims across sectors such as manufacturing, government, finance, telecommunications, and research,” according to the post. “Potentially affected SentinelOne customers were proactively contacted by our Threat Discovery and Response (TDR) teams. One of the impacted entities was an IT services and logistics company, which had been responsible for managing hardware logistics for SentinelOne employees during that period.”
They attribute these intrusions with high confidence to China-nexus actors, with ongoing efforts aimed at determining the specific threat clusters involved. “ShadowPad is a closed-source modular backdoor platform used by multiple suspected China-nexus threat actors to conduct cyberespionage. Google Threat Intelligence Group has observed the use of ScatterBrain-obfuscated ShadowPad samples since 2022 and attributes them to clusters associated with the suspected Chinese APT umbrella actor APT41.”
Several of the ShadowPad samples and infrastructure SentinelLABS identified have also been documented in previous public reporting on recent ShadowPad activities, including research published by TrendMicro, Orange Cyberdefense, and Check Point. Some of these activities have included the deployment of ransomware referred to as NailaoLocker, though the motive remains unclear, whether for financial gain or as a means of distraction, misattribution, or removal of evidence.
On the PurpleHaze activity cluster, SentinelLABS mentioned that the hacker leveraged ORB network infrastructure, which we assess to be operated from China, and exploited the CVE-2024-8963 vulnerability together with CVE-2024-8190 to establish an initial foothold, a few days before the vulnerabilities were publicly disclosed. This intrusion method suggests the involvement of UNC5174, which is assessed to be a contractor for China’s Ministry of State Security (MSS), primarily focusing on gaining access and specializing in exploiting vulnerabilities in targeted systems. After compromising these systems, UNC5174 is suspected of transferring access to other threat actors.
In January this year, CISA and the FBI released a joint advisory reporting threat actor activities that also took place in September 2024, involving the chained exploitation of CVE-2024-8963 and CVE-2024-8190, without providing specific attribution assessments. In March 2025, the French Cybersecurity Agency (ANSSI) released its 2024 cyber threat overview report, which documents intrusions that occurred in September 2024, involved the same vulnerabilities, and show overlaps in TTPs associated with UNC5174.
Additionally, Mandiant has observed UNC5174 exploiting the CVE-2023-46747 and CVE-2024-1709 vulnerabilities and deploying a publicly available backdoor tracked as GOREVERSE. Strings and code segments in the public GOREVERSE YARA rule provided by Mandiant match the reverse_ssh backdoor, placing GOREVERSE in the GOREshell malware cluster, samples of which were observed in this intrusion and the October 2024 activity targeting the South Asian government entity.
In conclusion, the researchers highlighted the persistent threat posed by China-nexus cyberespionage actors to various industries and public sector organizations, including cybersecurity vendors themselves. “Our findings underscore the critical need for constant vigilance, robust monitoring, and rapid response capabilities.”
They added that by publicly sharing details of the investigations, “we aim to provide insight into the rarely discussed targeting of cybersecurity vendors, helping to destigmatize sharing of IOCs related to these campaigns, and thus contribute to a deeper understanding of the tactics, objectives, and operational patterns of China-nexus threat actors. As these adversaries continue to adapt to our response efforts, it’s essential that defenders prioritize transparency, intelligence sharing, and coordinated action over the fear of reputational harm.”
