China-linked PurpleHaze hackers target SentinelOne‘s infrastructure

China-linked PurpleHaze hackers target SentinelOne‘s infrastructure

Cybersecurity firm SentinelOne has discovered reconnaissance activity orchestrated by a suspected China-aligned threat group dubbed PurpleHaze, which targeted the company’s infrastructure and some of its high-value customers.

The group came under radar following a 2024 cyber intrusion on a third-party logistics provider formerly contracted to support SentinelOne employees. According to SentinelOne researchers, PurpleHaze exhibits operational links to APT15, also known as Nickel, Royal APT, and Vixen Panda.

In its latest campaign, the group also targeted an unnamed South Asian government-affiliated entity in October 2024, deploying a Windows backdoor named GoReShell. The implant, developed in Go and leveraging the open-source reverse_ssh tool, facilitated reverse SSH connections to attacker-controlled systems via a decentralized Operational Relay Box (ORB) network, a tactic increasingly used to complicate attribution and detection.

Further investigation revealed that the same South Asian target had previously been attacked in June 2024 using ShadowPad, a modular backdoor frequently employed by Chinese espionage actors and considered the successor to PlugX. The ShadowPad variant used in the June attack was obfuscated with ScatterBrain and was part of a broader campaign affecting over 70 organizations across multiple sectors.

While the full extent of the overlap between the June and October campaigns remains unclear, SentinelOne believes the operations may be linked to the same actor. The firm said that it found no evidence of any secondary compromise following the third-party breach.


Back to the list

Latest Posts

Cyber Security Week in Review: May 9, 2025

Cyber Security Week in Review: May 9, 2025

In brief: SAP zero-day exploited by Chinese hackers, SonicWall patches bugs in its SMA appliances, and more.
9 May 2025
Russia-linked Coldriver hackers deploy new espionage malware in targeted attacks

Russia-linked Coldriver hackers deploy new espionage malware in targeted attacks

LOSTKEYS is designed to steal sensitive files, harvest system information, and exfiltrate details about running processes.
8 May 2025
Russia-aligned operation manipulates audio and images to impersonate experts

Russia-aligned operation manipulates audio and images to impersonate experts

The operation primarily focused on undermining NATO support for Ukraine and spreading false narratives to disrupt domestic politics in EU member states.
7 May 2025