Introduction
In October 2024 [1] [2] [3] [4] [6] [7] [8] [10] [11], SentinelOne reported a sophisticated cyber operation named “PurpleHaze,” linked to APT15 and UNC5174 [7], suspected initial access brokers for China’s Ministry of State Security [2]. This operation was part of a broader campaign targeting over 70 organizations globally across various sectors. Despite the attackers’ persistent attempts, SentinelOne’s systems remained secure due to effective monitoring and rapid response [2].
Description
In October 2024 [1] [2] [3] [4] [6] [7] [8] [10] [11], SentinelOne reported on a sophisticated cyber operation named “PurpleHaze,” linked to APT15 (also known as Ke3Chang [7], Nylon Typhoon [7] [8] [10], Mirage [10], Vixen Panda [9] [10], Royal APT [10], and Playful Dragon) and UNC5174, suspected initial access brokers for China’s Ministry of State Security [2]. This operation was part of a broader campaign targeting over 70 organizations globally across various sectors, including government [1] [2] [8] [9], media [1] [2] [6] [8] [9] [10], manufacturing [1] [2] [6] [10], finance [1] [2] [6] [8] [10], telecommunications [2] [6] [8] [11], and research [1] [5] [10]. Notably, one of the targets was an IT logistics firm responsible for managing hardware logistics for SentinelOne employees. The attackers conducted extensive reconnaissance on multiple internet-facing SentinelOne servers, probing over port 443, while simultaneously surveilling the IT vendor. Despite the attackers’ persistent attempts, SentinelOne’s systems remained secure due to effective monitoring and rapid response [2].
The PurpleHaze activity [1] [2] [4] [8], which spanned from July 2024 to March 2025 [1] [9], involved the deployment of the GOREshell backdoor [4], a variant of the open-source reverse_ssh tool [2] [10], through DLL hijacking using a VMware-signed binary [4]. The attackers also utilized SSH tunneling over WebSockets to obfuscate command and control (C2) domains [4]. The infrastructure employed in these operations included multiple C2 domains associated with global intrusions, with suspicious connections traced to virtual private servers designed to mimic legitimate telecommunications infrastructure [11], including domains like tatacom.duckdns.org [11]. This reconnaissance revealed significant overlaps in infrastructure management and domain practices with earlier intrusions at a South Asian government IT agency [8], suggesting involvement by the same threat actor or a third-party entity managing infrastructure for multiple groups—a common tactic among Chinese cyber-espionage actors [8].
APT15 is a suspected Chinese cyber-espionage actor known for targeting critical infrastructure globally [7], while UNC5174 functions as an initial access broker for the Chinese government [7]. The group associated with UNC5174 has been implicated in exploiting vulnerabilities in systems like SAP NetWeaver to deploy GOREVERSE [5], a variant of GOREshell [2] [4] [5]. The attack on the South Asian government entity involved previously unknown variants of the ShadowPad malware platform, historically linked to Chinese cyber-espionage [11]. This marked the first instance of THC tooling being used in APT activities [8], with high confidence attribution to a China-nexus actor [8]. ShadowPad malware samples were obfuscated using ScatterBrain variants [1], further complicating detection efforts.
The attackers exploited chained Ivanti zero-day vulnerabilities CVE-2024-8963 and CVE-2024-8190 for initial access [7], demonstrating their advanced capabilities by gaining access days before public disclosure [2]. SentinelOne noted that the infrastructure used in this intrusion is part of an operational relay box (ORB) network utilized by various suspected Chinese cyber-espionage actors [7] [8], complicating the tracking and attribution of such operations [7]. The use of ORB networks is increasingly common among these threat groups [7], allowing for the rapid expansion of dynamic infrastructures [7]. The threat actors also employed open-source tools from The Hacker’s Choice community [1], such as dsniff version 2.5a1, and reused private SSH keys across various malware variants and platforms [1]. Continuous monitoring [1] [3], threat intelligence sharing [1] [2] [3] [4] [10], and proactive defense measures enabled SentinelOne to prevent compromise despite the targeted attacks [1].
Investigations into the PurpleHaze and ShadowPad clusters are ongoing, with a focus on determining the specific groups behind these activities and their potential links to earlier intrusions [8]. SentinelOne emphasizes the importance of recognizing the persistent targeting of security vendors by nation-state actors due to their critical roles in cybersecurity [6]. This incident underscores a trend where cybersecurity providers are increasingly becoming targets for nation-state attackers seeking to exploit their access and intelligence [3]. The discovery and disruption of activity clusters like PurpleHaze and ShadowPad highlight the necessity for full-spectrum threat detection [3], including behavioral analytics and supply chain validation [3]. The incident serves as a reminder that no organization is immune from nation-state cyber espionage [3], necessitating an elevated cybersecurity posture that integrates advanced detection and proactive defense strategies [3].
Conclusion
The PurpleHaze operation underscores the persistent threat posed by nation-state actors targeting critical infrastructure and cybersecurity vendors. Despite the sophisticated tactics employed, SentinelOne’s robust monitoring and rapid response measures ensured system security. This incident highlights the importance of continuous threat intelligence sharing, proactive defense strategies [1] [3], and the need for organizations to maintain an elevated cybersecurity posture. As investigations continue, the focus remains on identifying the specific groups involved and understanding their methods to better prepare for future threats.
References
[1] https://www.hendryadrian.com/follow-the-smoke-china-nexus-threat-actors-hammer-at-the-doors-of-top-tier-targets/
[2] https://gbhackers.com/new-report-reveals-chinese-hackers-attempted-to-breach/
[3] https://cybertechnologyinsights.com/cybertech-staff-articles/china-nexus-cyber-espionage-targets-security-firms-sentinelone-incident-analysis-strategic-cybersecurity-roadmap/
[4] https://securityonline.info/chinese-cyberespionage-groups-probe-sentinelone-in-sophisticated-shadowpad-and-purplehaze-campaigns/
[5] https://cyberwarriorsmiddleeast.com/china-linked-cyber-espionage-group-targets-over-70-organizations-across-various-sectors/
[6] https://www.cybersecuritydive.com/news/sentinel-one-china-hackers-it-vendor-critical-infrastructure/750116/
[7] https://www.infosecurity-magazine.com/news/sentinelone-cybersecurity-vendors/
[8] https://www.sentinelone.com/labs/follow-the-smoke-china-nexus-threat-actors-hammer-at-the-doors-of-top-tier-targets/
[9] https://hackread.com/chinese-linked-hackers-targeted-global-organizations/
[10] https://sechub.in/view/3068344
[11] https://cybersecuritynews.com/hackers-attempted-to-compromise-sentinelones-own-servers/
