Listen to this Post
In April 2025, SentinelOne, a leading cybersecurity firm, sounded the alarm over a China-linked cyber espionage group known as PurpleHaze. This group had been conducting reconnaissance on the company’s infrastructure and high-value clients, indicating that the threat actors were likely preparing for a more significant attack. The group’s activities first came to light following intrusions into a former hardware logistics provider for SentinelOne employees, and further investigation revealed a series of other high-profile cyberattacks.
This article will explore the nature of the PurpleHaze group’s activities, the scope of their cyber espionage operations, and the insights provided by SentinelOne’s latest research on the campaign. We will also examine the broader context of China-linked cyber threats, and what experts like SentinelOne are doing to counter such persistent threats.
Original
Between 2024 and 2025, cybersecurity firm SentinelOne uncovered a significant wave of attacks attributed to PurpleHaze, a cyber espionage group believed to have links to Chinese state-sponsored actors. SentinelOne first detected the group in 2024, when they breached the infrastructure of a former logistics provider for the company. Over several months, PurpleHaze targeted multiple high-value entities across a range of sectors including government, media, finance, and manufacturing.
Their methods were sophisticated, involving tools such as a Windows backdoor called GoReShell, which was based on an open-source reverse_ssh tool. The group also used dynamic infrastructure like Operational Relay Box (ORB) networks to obfuscate their tracks, making it more challenging to attribute the attacks. SentinelOne observed PurpleHazeās infiltration of a South Asian government IT agency and a European media group, among other targets.
The groupās tactics bear strong resemblance to those of APT15 (also known as Nylon Typhoon, Ke3chang, and Playful Dragon), a China-linked cyber espionage group that has been active for several years. Over a nine-month period (July 2024 ā March 2025), PurpleHaze hit more than 70 organizations worldwide. These included telecom companies, research institutions, and a logistics firm servicing SentinelOne. The attacks were part of a broader cyber espionage campaign with strategic reconnaissance on high-profile targets, including SentinelOne itself.
Further analysis revealed that some attacks involved the use of ShadowPad backdoors and obfuscated Go-based malware, showing the groupās capability and persistence. SentinelOneās report also highlighted a troubling trend in China-linked cyberattacks, which increasingly target cybersecurity firms tasked with protecting sensitive digital infrastructure. This points to the high priority placed on infiltrating organizations responsible for defending against cyber threats.
What Undercode Says:
The revelations around PurpleHaze’s operations provide a chilling glimpse into the scale and sophistication of state-sponsored cyber espionage campaigns. What stands out in this case is the group’s focus on infiltrating cybersecurity companies, a growing trend in the landscape of cyber warfare. By targeting entities that are responsible for defending critical infrastructure, threat actors like PurpleHaze aim to gain insights into the very security measures intended to thwart them.
The use of GoReShell, a custom backdoor malware, is also noteworthy. The fact that it was based on reverse_ssh, an open-source tool, demonstrates the group’s ability to innovate and adapt common tools to suit their needs. This is in line with broader Chinese APT patterns, which often include the use of modified, off-the-shelf malware to evade detection.
Another key point is the utilization of ORB networks. These dynamic, decentralized systems provide a level of obfuscation that makes it harder for investigators to trace the origins of an attack. This tactic, paired with the widespread use of ShadowPad backdoors, indicates a high level of coordination between multiple China-linked cyber threat groups, complicating attribution and response efforts.
The fact that more than 70 global organizations were impacted, spanning various sectors, underlines the versatility and reach of the PurpleHaze group. Itās clear that their operations are far-reaching, with a focus not only on government entities and media organizations but also on critical industries like finance and telecom.
Given the mounting evidence of this activity,
Fact Checker Results ā
China-linked Cyber Espionage: SentinelOneās findings strongly correlate with known patterns of Chinese cyber espionage groups, such as APT15. The use of customized malware and dynamic ORB networks is consistent with previously documented tactics by Chinese state actors.
Multiple High-Profile Victims: The report identifies over 70 organizations across various sectors as victims of PurpleHaze, with confirmed intrusions into government, media, and private industry sectors, verifying the scale of the attacks.
Use of Advanced Malware: The deployment of tools like GoReShell, ShadowPad, and NailaoLocker aligns with the attack strategies of Chinese APT groups, supporting the attribution to a China-linked threat actor.
Prediction š®
Looking ahead, the frequency and sophistication of cyberattacks like those conducted by PurpleHaze are likely to increase. With more actors engaging in state-sponsored cyber espionage, there will be heightened risks for organizations that manage sensitive data or infrastructure. We can expect further developments in Chinese cyber strategies, especially with the increasing use of decoy techniques like reverse-SSH and distributed relay networks, which offer unprecedented stealth.
As global cybersecurity firms intensify their efforts to defend against such threats, there will be an even greater emphasis on threat intelligence sharing and collaborative defense strategies. However, the scale and persistence of groups like PurpleHaze indicate that organizations must stay vigilant and be prepared for increasingly complex and multi-faceted attacks in the future.
References:
Reported By: securityaffairs.com
Extra Source Hub:
https://www.discord.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
