Chinese Cyberespionage Groups Probe SentinelOne in Sophisticated ShadowPad and PurpleHaze Campaigns

SentinelLABS has unveiled an extensive report detailing a wave of cyber-espionage activity that directly targeted SentinelOne and over 70 other organizations worldwide. Tracked as part of two interconnected activity clusters—ShadowPad and PurpleHaze—these operations are attributed with high confidence to China-nexus threat actors, including overlaps with APT15 and UNC5174.

The most notable discovery in SentinelLABS’ investigation was that threat actors carried out reconnaissance against SentinelOne’s Internet-facing servers in October 2024, and even compromised a third-party IT logistics firm responsible for handling employee hardware.

Despite the high-profile nature of the operation, SentinelLABS reassures:

“A thorough investigation of SentinelOne’s infrastructure, software, and hardware assets confirmed that the attackers were unsuccessful and SentinelOne was not compromised.”

These incidents are part of a broader trend where cybersecurity vendors themselves are becoming targets due to their deep visibility into client environments and defensive capabilities.

ShadowPad, a privately sold modular malware platform, was used in a global campaign spanning June 2024 to March 2025, compromising victims in manufacturing, government, finance, telecom, and research. The cluster included a notable intrusion into a South Asian government IT provider.

Key tactics included:

• Obfuscation using ScatterBrain and ScatterBee
• Use of DLL hijacking
• DNS-over-HTTPS (DoH) for C2 communication
• Exploitation of vulnerable enterprise infrastructure (e.g., Fortinet, Check Point, CrushFTP)

ShadowPad samples used malicious implants like AppSov.exe, downloaded via PowerShell and curl from compromised internal infrastructure. These implants exfiltrated sensitive files such as certificates and cryptocurrency keys via a custom PowerShell exfiltration script.

PurpleHaze encompasses activity from September to October 2024, including:

• The GOREshell backdoor deployed via DLL hijacking using a VMware-signed binary
• SSH tunneling over WebSockets to obfuscated C2 domains like downloads.trendav[.]vip
• Linux variants of GOREshell disguised as system daemons like snapd and update-notifier

The GOREshell backdoor is implemented in the Go programming language, obfuscated using Garble, and contains embedded SSH keys for encrypted C2 communications.

In one case, threat actors deployed a log removal tool (mcl) derived from the clear13 tool developed by The Hacker’s Choice (THC), illustrating the reuse of old but effective offensive tools in nation-state campaigns.

In addition to active intrusions, SentinelLABS observed probing attempts against its own infrastructure, originating from spoofed domains like sentinelxdr[.]us and secmailbox[.]us, registered alongside malicious C2 infrastructure.

These domains resolved to the same IP addresses as other confirmed attacker infrastructure, suggesting coordinated management:

“Domain registration data for sentinelxdr[.]us was updated on 25 September 2024, the same date and time as updates to trendav[.]vip—demonstrating synchronized infrastructure activity.”

A September 2024 breach at a European media outlet revealed overlaps with the South Asian operation, including use of:

• GOREshell
• A revived version of the long-abandoned dsniff toolkit
• Web shells granting remote sudo command execution

Initial access was achieved via chained exploits of CVE-2024-8963 and CVE-2024-8190, vulnerabilities in Ivanti Cloud Services Appliance, just days before their public disclosure.

The report concludes with a cautious but confident attribution:

“We attribute the PurpleHaze and ShadowPad activity clusters with high confidence to China-nexus threat actors… overlapping with suspected Chinese cyberespionage groups publicly reported as APT15 and UNC5174.”

These operations demonstrate how China-linked actors are evolving beyond traditional targets, increasingly focusing on supply chain infiltration, cyber vendor reconnaissance, and strategic intelligence gathering.

Related Posts:

• Updated ShadowPad Malware Facilitates Ransomware Deployment in Global Attacks
• Persistent Espionage Attacks on National Infrastructure Raising Alarm
• SentinelOne Unveils: The Hidden Dangers of npm in Business Security
• Cybersecurity Vendors Under Siege: A Deep Dive into Real-World Attacks
• Operation Digital Eye: Chinese APT Exploits Visual Studio Code Tunnels in High-Stakes Espionage Campaign