The reconnaissance activity targeting American cybersecurity company SentinelOne was part of a broader set of partially-related intrusions into several targets between July 2024 and March 2025.
“The victimology includes a South Asian government entity, a European media organization, and more than 70 organizations across a wide range of sectors,” SentinelOne security researchers Aleksandar Milenkoski and Tom Hegel said in a report published today.
Some of the targeted sectors include manufacturing, government, finance, telecommunications, and research. Also present among the victims was an IT services and logistics company that was managing hardware logistics for SentinelOne employees at the time of the breach in early 2025.
The malicious activity has been attributed with high confidence to China-nexus threat actors, with some of the attacks tied to a threat cluster dubbed PurpleHaze, which, in turn, overlaps with Chinese cyber espionage groups publicly reported as APT15 and UNC5174.
In late April 2024, SentinelOne first disclosed PurpleHaze-related reconnaissance activity targeting some of its servers that were deliberately accessible over the internet by “virtue of their functionality.”
“The threat actor’s activities were limited to mapping and evaluating the availability of select internet-facing servers, likely in preparation for potential future actions,” the researchers said.
It’s currently not known if the attackers’ intent was to just target the IT logistics organization or if they planned to expand their focus to downstream organizations as well. Further investigation into the attacks has uncovered six different activity clusters (named to A to F) that date back to June 2024 with the compromise of an unnamed South Asian government entity.
The clusters are listed below –
- Activity A: An intrusion into a South Asian government entity (June 2024)
- Activity B: A set of intrusions targeting organizations globally (Between July 2024 and March 2025)
- Activity C: An intrusion into an IT services and logistics company (at the beginning of 2025)
- Activity D: An intrusion into the same South Asian government entity compromised (October 2024)
- Activity E: Reconnaissance activity targeting SentinelOne servers (October 2024)
- Activity F: An intrusion into a leading European media organization (late September 2024)
The June 2024 attack against the government entity, as previously detailed by SentinelOne, is said to have led to the deployment of ShadowPad that’s obfuscated using ScatterBrain. The ShadowPad artifacts and infrastructure overlap with recent ShadowPad campaigns that have delivered a ransomware family codenamed NailaoLocker following the exploitation of Check Point gateway devices.
Subsequently in October 2024, the same organization was targeted to drop a Go-based reverse shell dubbed GoReShell that uses SSH to connect to an infected host. The same backdoor, SentinelOne noted, has been used in connection with a September 2024 attack aimed at a leading European media organization.
Also common to these two activity clusters is the use of tools developed by a team of IT security experts who go by the name The Hacker’s Choice (THC). The development marks the first time THC’s software programs have been abused by state-sponsored actors.
SentinelOne has attributed Activity F to a China-nexus actor with loose affiliations to an “initial access broker” tracked by Google Mandiant under the name UNC5174 (aka Uteus or Uetus). It’s worth noting that the threat group was recently linked to the active exploitation of SAP NetWeaver flaws to deliver GOREVERSE, a variant of GoReShell. The cybersecurity company is collectively tracking Activity D, E, and F as PurpleHaze.
“The threat actor leveraged ORB [operational relay box] network infrastructure, which we assess to be operated from China, and exploited the CVE-2024-8963 vulnerability together with CVE-2024-8190 to establish an initial foothold, a few days before the vulnerabilities were publicly disclosed,” the researchers said. “After compromising these systems, UNC5174 is suspected of transferring access to other threat actors.”
