Over 70 Organizations Across Diverse Sectors Compromised by China-Associated Cyber Espionage Threat Actor

The reconnaissance activity targeting a prominent cybersecurity firm, SentinelOne, forms part of a larger strategy of interconnected intrusions directed at multiple entities between July 2024 and March 2025.

The targeted organizations included a South Asian government agency, a reputable European media outlet, and over 70 entities spanning various industries. Key sectors involved encompass manufacturing, government, finance, telecommunications, and research, with one notable victim being an IT services logistics firm responsible for handling hardware logistics for SentinelOne employees during the breach early in 2025.

This malicious activity has been confidently attributed to threat actors linked to China, with connections to a threat cluster referred to as PurpleHaze, which overlaps with Chinese cyber espionage groups publicly designated as APT15 and UNC5174.

In late April 2024, SentinelOne exposed reconnaissance efforts associated with the PurpleHaze group attempting to assess certain servers, intentionally made accessible on the internet for operational purposes.

Researchers indicated that the threat actor’s endeavors were primarily focused on mapping and assessing the accessibility of selected internet-facing servers, likely as a precursor to eventual malicious actions. It remains unclear whether the attackers aimed solely at the logistics organization or if they intended to extend their operations to associated downstream targets. Further investigations have revealed six distinct activity clusters, identified as Activities A through F, tracing back to June 2024, marked by the compromise of an undisclosed South Asian government entity.

• Activity A: Intrusion into a South Asian government body (June 2024)
• Activity B: Series of intrusions targeting global organizations (July 2024 – March 2025)
• Activity C: Intrusion into the IT services logistics firm (early 2025)
• Activity D: Recurrence of intrusion into the same South Asian government body (October 2024)
• Activity E: Reconnaissance on SentinelOne servers (October 2024)
• Activity F: Intrusion involving a major European media organization (late September 2024)

The June 2024 assault against the government entity, as previously noted by SentinelOne, gave rise to the deployment of ShadowPad, which was obfuscated using a tool named ScatterBrain. The infrastructure and artifacts associated with ShadowPad display similarities to recent campaigns utilizing ShadowPad that delivered a ransomware variant known as NailaoLocker, following breaches involving Check Point gateway devices.

In October 2024, the targeted organization experienced an additional breach that facilitated the installation of a Go-based ssh” rel=”noopener” target=”_blank”>GoReShell, which employs SSH for connections to infected hosts. SentinelOne also noted that this backdoor had been used in connection with a September 2024 attack directed at a leading European media organization.

Common to these activities is the employment of tools developed by a group of IT security experts known as The Hacker’s Choice (THC). This incident marks the inaugural misuse of THC’s software products by state-sponsored entities.

SentinelOne has classified Activity F as associated with a China-linked actor with loose affiliations to an “initial access broker” tracked by Google Mandiant as UNC5174 (also referred to as Uteus or Uetus). Notably, this threat group was recently connected to ongoing exploitation of SAP NetWeaver vulnerabilities to deploy GOREVERSE, a variant of GoReShell. The cybersecurity firm has collectively categorized Activities D, E, and F under the PurpleHaze designation.

“The threat actor employed ORB (operational relay box) network infrastructure, believed to be operated from China, and exploited vulnerabilities CVE-2024-8963 and CVE-2024-8190 to establish initial access, shortly before these vulnerabilities became publicly known,” the researchers noted. “Following the successful compromise of these systems, it is suspected that UNC5174 transferred access to other malicious actors.”