A leading U.S.-based cybersecurity firm, sophisticated cyber-espionage campaigns attributed to Chinese state-sponsored actors have come to light.
Tracked as the PurpleHaze activity cluster, these adversaries have targeted SentinelOne’s infrastructure alongside high-value organizations associated with its business ecosystem.
Uncovering the PurpleHaze Threat Cluster
SentinelLabs, the research arm of SentinelOne, identified this threat during a 2024 intrusion against a former hardware logistics provider for the company.
.png
)
The PurpleHaze cluster, linked with high confidence to APT15 (also known as Nylon Typhoon), showcases a pattern of targeting critical sectors globally, including telecommunications, IT, and government entities.
Their operations leverage an extensive Operational Relay Box (ORB) network-a dynamic infrastructure operated from China that complicates attribution-and deploy malware like GoReShell, a Go-based backdoor utilizing reverse SSH connections for persistent access.
ShadowPad Intrusions and Supply Chain Risks
Further intensifying the threat, SentinelLabs uncovered related activity involving ShadowPad, a modular backdoor platform frequently used by Chinese threat actors like APT41.
Between June 2024 and March 2025, over 70 organizations worldwide across sectors such as manufacturing, finance, and research fell victim to ScatterBrain-obfuscated ShadowPad variants, often exploiting n-day vulnerabilities in CheckPoint gateway devices.
Notably, in June 2024, a South Asian government entity previously targeted by PurpleHaze was hit with ShadowPad, raising questions of overlapping actors or shared access between Chinese threat groups.
This incident also impacted a logistics provider managing hardware for SentinelOne employees, underscoring the fragility of supply chain ecosystems.
While no secondary compromise of SentinelOne’s infrastructure was detected, the targeting of third-party providers highlights how nation-state actors exploit indirect pathways to reach high-value downstream targets.
Investigations suggest motives behind ShadowPad intrusions may extend beyond espionage to include ransomware deployment-possibly for financial gain, distraction, or evidence destruction.
According to the Report, SentinelOne’s proactive response to these threats emphasizes the critical need for real-time supply chain monitoring and cross-functional threat intelligence sharing.
The firm advocates for integrating threat-aware metadata into asset inventories and expanding threat modeling to address upstream risks posed by well-resourced adversaries.
Their internal reviews of procurement workflows, OS images, and segmentation policies serve as a blueprint for organizations aiming to mitigate exposure through external partners.
As Chinese state-sponsored actors increasingly leverage sophisticated infrastructure like ORB networks and malware such as GoReShell and ShadowPad, the cybersecurity industry faces a growing challenge to harden not just digital perimeters but entire operational footprints.
SentinelLabs plans a detailed public release on PurpleHaze, promising deeper insights into the tactics, techniques, and procedures (TTPs) of these persistent adversaries, reinforcing the urgency of collective defense strategies in an evolving threat landscape.
Their findings serve as a stark reminder that security vendors and their clients remain prime targets for nation-state actors seeking strategic footholds through both direct and indirect attack vectors, necessitating vigilance and collaboration across all sectors.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
