Cybersecurity firm SentinelOne has discovered reconnaissance activity orchestrated by a suspected China-aligned threat group dubbed PurpleHaze, which targeted the company’s infrastructure and some of its high-value customers.
The group came under radar following a 2024 cyber intrusion on a third-party logistics provider formerly contracted to support SentinelOne employees. According to SentinelOne researchers, PurpleHaze exhibits operational links to APT15, also known as Nickel, Royal APT, and Vixen Panda.
In its latest campaign, the group also targeted an unnamed South Asian government-affiliated entity in October 2024, deploying a Windows backdoor named GoReShell. The implant, developed in Go and leveraging the open-source reverse_ssh tool, facilitated reverse SSH connections to attacker-controlled systems via a decentralized Operational Relay Box (ORB) network, a tactic increasingly used to complicate attribution and detection.
Further investigation revealed that the same South Asian target had previously been attacked in June 2024 using ShadowPad, a modular backdoor frequently employed by Chinese espionage actors and considered the successor to PlugX. The ShadowPad variant used in the June attack was obfuscated with ScatterBrain and was part of a broader campaign affecting over 70 organizations across multiple sectors.
While the full extent of the overlap between the June and October campaigns remains unclear, SentinelOne believes the operations may be linked to the same actor. The firm said that it found no evidence of any secondary compromise following the third-party breach.
