China-Linked APT PurpleHaze Targets SentinelOne in Sophisticated Espionage Campaign

By /

Listen to this Post

Featured Image
SentinelOne, a leading cybersecurity company, has uncovered an ongoing cyberespionage campaign led by a China-linked advanced persistent threat (APT) group identified as PurpleHaze. According to detailed analysis by SentinelLABS, this threat actor attempted to map SentinelOne’s infrastructure and gain insights into its operations and clientele, raising alarms over targeted intelligence gathering that could precede future cyberattacks.

This campaign, closely monitored throughout 2024 and early 2025, appears to be part of a broader and coordinated offensive by Chinese state-affiliated actors. Using advanced tools such as the GoReShell backdoor and ShadowPad malware, PurpleHaze demonstrates a high level of operational stealth and sophistication. These attacks were not isolated but part of a chain of intrusions targeting government and commercial entities across South Asia and other regions. SentinelOne’s findings confirm that PurpleHaze shares operational DNA with notorious groups like APT15 and APT41, notorious for cyberespionage and malware deployment campaigns on a global scale.

Targeted Cyber Reconnaissance Campaign: Timeline and Key Findings

  • In 2024, SentinelOne became a target of reconnaissance operations by the PurpleHaze APT group, which sought insights into its systems and client relationships.
  • SentinelLABS first identified the group’s activity when investigating an intrusion into a former logistics contractor linked to SentinelOne.
  • PurpleHaze used an advanced Operational Relay Box (ORB) network for command-and-control, enhancing anonymity and complicating detection.
  • The threat actor deployed GoReShell, a backdoor malware coded in Go, derived from the open-source reverse_ssh project, designed for stealth remote access.
  • SentinelOne drew direct links between PurpleHaze and APT15, also known as Nylon Typhoon, Ke3chang, and Mirage, all of which are Chinese-affiliated espionage units.
  • This APT group exploited legitimate supply chain relationships, signaling risks that go beyond technical vulnerabilities into the realm of third-party trust.
  • In parallel, SentinelOne detected similar tactics and tools used against a South Asian IT services organization supporting government clients — suggesting broader regional targeting.
  • In June 2024, SentinelLABS observed ShadowPad malware activity associated with these threats. ShadowPad is a modular, stealthy backdoor also tied to Chinese-linked APT41.
  • Between July 2024 and March 2025, ShadowPad was detected in over 70 attacks worldwide, often deployed via exploits targeting CheckPoint vulnerabilities.
  • Obfuscation techniques like ScatterBrain were used to conceal malware payloads, frustrating traditional signature-based detection systems.
  • SentinelOne confirmed there was no breach within its systems, but it underscored the escalating supply chain risk from well-funded adversaries.
  • The firm also revealed North Korea-linked actors had tried to infiltrate its workforce, submitting over 1,000 job applications under approximately 360 fake identities.
  • These operations mimic legitimate job-seeking behavior and exploit public-facing recruitment channels to gain insider access to security firms.
  • Beyond state-sponsored actors, financially motivated cybercriminal groups like Black Basta are also increasingly targeting enterprise cybersecurity platforms.
  • These attackers test their malware across different security platforms, probing for weaknesses and aiming to disable protections before launching ransomware attacks.
  • The report emphasizes that attackers now treat security vendors themselves as high-value targets — not just their clients.

What Undercode Say:

The SentinelOne revelations shed light on the evolving playbook of modern cyber-espionage. The case of PurpleHaze marks a new frontier in threat actor behavior — not just stealing data or deploying ransomware, but probing the very companies that build the world’s digital defenses.

PurpleHaze’s tactics, including the deployment of GoReShell and the use of ORB networks, indicate a well-resourced operation. GoReShell’s development in Go — a language prized for portability and performance — suggests a desire for scalability and cross-platform compatibility. Its basis in reverse_ssh further reflects the blending of open-source tooling into high-grade espionage operations.

Attribution to APT15 and APT41 implies backing from China’s state machinery. Both groups have a long history of sophisticated campaigns — APT15 targeting diplomatic and defense entities, and APT41 blending espionage with financially motivated cybercrime. The usage of ShadowPad by both actors aligns with prior patterns seen in attacks against telecoms, financial services, and infrastructure sectors. ShadowPad itself, originally associated with the Winnti umbrella, has become a shared platform among several Chinese threat actors, complicating attribution while expanding operational reach.

From an enterprise cybersecurity perspective, this case illustrates several critical insights:

1. Defense is not just about technology —

  1. Insider threats are evolving. The North Korean operation involving fake job applications highlights a highly creative attack vector: weaponizing HR pipelines.
  2. The attacker ecosystem is collaborative, not siloed. State and non-state actors use overlapping infrastructure, malware, and even techniques — a worrying convergence.
  3. Cyber threat intelligence (CTI) is no longer a luxury, but a foundational layer of enterprise defense. The ability to correlate signals over time enabled SentinelOne to detect, analyze, and link multiple attack campaigns to the same adversary set.
  4. Ransomware and espionage are blending. With ShadowPad now used in ransomware deployment, the lines between financial motivation and geopolitical objectives continue to blur.
  5. Supply chain risk is not theoretical — it’s current, active, and evolving. Vendors must proactively assess every link in their operational and personnel chain.
  6. Open-source tools are becoming double-edged swords. While indispensable to defenders, these tools are increasingly recompiled, modified, and obfuscated for offensive purposes.
  7. Security vendors are prime targets, both for the tools they provide and the insights they possess. Organizations must secure not just their products, but their people and processes.

This case isn’t an anomaly — it’s a warning. Cyber adversaries have stepped up their game, and vendors must be prepared to face not just attacks on their clients, but infiltration attempts against themselves.

Fact Checker Results:

  • SentinelOne confirmed it was not breached but targeted for reconnaissance by PurpleHaze.
  • PurpleHaze used GoReShell and ShadowPad — both widely associated with China-linked APT groups like APT15 and APT41.
  • North Korea-linked fake job applications were indeed submitted to SentinelOne, including attempts to infiltrate SentinelLabs itself.

Would you like a graphical summary or attack chain diagram to accompany this post?

References:

Reported By: securityaffairs.com
Extra Source Hub:
https://www.linkedin.com
Wikipedia
Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Explore More: