In a significant cybersecurity revelation, SentinelOne has exposed an advanced Chinese cyber-espionage campaign orchestrated by a threat actor known as PurpleHaze. The campaign, which targeted SentinelOne’s infrastructure and its high-value clients, underscores the evolving tactics of state-aligned hacking groups.
SentinelOne Targeted by China-Linked Hacking Group PurpleHaze
According to researchers Tom Hegel, Aleksandar Milenkoski, and Jim Walter, the threat was initially detected during a 2024 cyber intrusion on a third-party vendor providing hardware logistics services to SentinelOne employees.
PurpleHaze is believed to have loose affiliations with APT15—a well-known Chinese state-sponsored hacking group also tracked as Flea, Nylon Typhoon, Playful Taurus, Royal APT, and Vixen Panda.
Expanded Cyber Campaign Against South Asian Government Entity
The group has also been linked to a targeted attack in October 2024 against a South Asian government-associated organization. In this attack, the adversaries used an operational relay box (ORB) network and a custom Windows backdoor named GoReShell, built with the Go programming language and leveraging the reverse_ssh open-source tool.
"ORB networks are gaining traction for their ability to build resilient, hard-to-track infrastructure," SentinelOne researchers noted.
Further investigation revealed that the same South Asian target had previously faced an attack in June 2024 involving ShadowPad (also known as PoisonPlug), a widely shared backdoor among Chinese espionage groups and a successor to PlugX.
The ShadowPad samples were hidden using a custom obfuscator dubbed ScatterBrain, indicating the increasing sophistication of these operations.
Likely Exploitation of CheckPoint Vulnerability
ShadowPad, obfuscated by ScatterBrain, is believed to have been used in over 70 intrusions spanning industries like:
1. Manufacturing2. Government
3. Finance
4. Telecommunications
5. Research
These intrusions likely exploited an N-day vulnerability in CheckPoint gateway devices, though exact details remain under investigation.
SentinelOne Confirms No Internal Compromise
One of the targeted entities during this espionage campaign was the very vendor managing SentinelOne’s hardware logistics. Despite the exposure, SentinelOne confirmed that no evidence of internal breach or secondary compromise was discovered.
North Korean Hackers Also Attempted Infiltration
Adding to the threat landscape, North Korea-aligned operatives were found attempting to infiltrate SentinelOne’s workforce, especially targeting the SentinelLabs intelligence team. These attempts included over 360 fake identities and 1,000 fraudulent job applications.
Ransomware Gangs Exploit Security Testing Loopholes
SentinelOne also observed that ransomware groups are increasingly targeting enterprise security firms, including themselves, aiming to:
1. Assess EDR software capabilities2. Test malware against endpoint protection platforms
3. Buy or rent access via dark web markets like XSS[.]is, Exploit[.]in, and RAMP
A growing underground economy supports services like:
1. EDR Testing-as-a-Service
2. Malware fine-tuning environmentsThese services provide threat actors semi-private labs to optimize attacks without detection.
Russian Ransomware Gang Nitrogen Uses Deceptive Tactics
One standout ransomware operation, Nitrogen, allegedly run by a Russian national, takes an unconventional approach:
1. Impersonates legitimate businesses2. Sets up lookalike domains and spoofed infrastructure
3. Buys official EDR licenses from low-verification resellers
“This method relies on weak KYC checks and minimal interaction, allowing cybercriminals to operate under the radar,” researchers said.
Key Takeaways
1. SentinelOne was indirectly targeted in a China-linked espionage campaign led by PurpleHaze.
2. Attacks included use of advanced malware like GoReShell, ShadowPad, and ScatterBrain obfuscation.
3. The cybersecurity landscape continues to evolve, with ransomware groups mimicking businesses and nation-state hackers posing as job applicants.
Stay Informed. Stay Protected.
As cyber threats escalate globally, businesses and government entities must prioritize advanced threat intelligence, employee vetting, and robust endpoint protection to safeguard critical infrastructure.