Cybersecurity firm SentinelOne revealed that the espionage activity it was the target of was part of a broader campaign aimed at several targets between July 2024 and March 2025. The operation targeted more than 70 organizations across a wide range of sectors, including manufacturing, government, finance, telecommunications, research, IT services and logistics.
The campaign is believed to be the work of China-linked state-backed threat actors, with some of the attacks linked to a threat cluster known as ‘PurpleHaze.’ The researchers noticed overlaps between PurpleHaze and Chinese cyber espionage groups tracked as APT15 and UNC5174.
PurpleHaze reconnaissance activity targeting some of SentinelOne’s servers was spotted in late April of 2024. The threat actor's activities were limited to mapping and evaluating the availability of select internet-facing servers, likely in preparation for potential future actions.
Digging deeper, the researchers uncovered partially related intrusions and clusters of activity typical for Chinese-nexus operations:
-
Activity A: June 2024 intrusion into a South Asian government entity
-
Activity B: A set of intrusions impacting organizations worldwide occurring between July 2024 and March 2025
-
Activity C: Intrusion into an IT services and logistics company at the beginning of 2025
-
Activity D: October 2024 intrusion into the same government entity compromised in June 2024
-
Activity E: October 2024 reconnaissance activity targeting SentinelOne
-
Activity F: September 2024 intrusion into a leading European media organization. Attributed to a China-linked threat actor connected with an initial access broker tracked as UNC5174 (aka Uteus or Uetus)
The June 2024 attack against the government entity the attackers deployed the ShadowPad backdoor obfuscated using ScatterBrain. The ShadowPad artifacts and infrastructure overlap with recent ShadowPad campaigns that have deployed the NailaoLocker ransomware after the exploitation of Check Point gateway devices.
In October 2024, the intruders deployed a Go-based reverse shell dubbed GoReShell that uses SSH to connect to an infected host. The same backdoor, SentinelOne noted, has been linked to a September 2024 attack aimed at a European media organization.
The researchers have also noted the overlap between September 2024 and October 2024 attacks targeting the European media organization and the South Asian government entity, respectively, which involved the GOREshell backdoor and publicly available tools developed by The Hacker’s Choice (THC).
The two clusters are the first instances in which the THC tooling was used in the context of APT activities.
The threat actor leveraged ORB network infrastructure, operated from China, and exploited two Ivanti flaws (CVE-2024-8963 and CVE-2024-8190) to establish an initial foothold, a few days before the vulnerabilities were publicly disclosed. The intrusion method suggests the involvement of UNC5174, which is believed to be a contractor for China’s Ministry of State Security (MSS) mainly focusing on gaining access and specializing in exploiting vulnerabilities in targeted systems. After compromising the systems, UNC5174 is suspected of transferring access to other threat actors.
