Full Report
This report uncovers a set of related threat clusters linked to PurpleHaze and ShadowPad operators targeting organizations, including cybersecurity vendors.
Analysis Summary
# Threat Actor: PurpleHaze and ShadowPad Activity Clusters
## Attribution & Identity
Attributed with high confidence to **China-nexus threat actors**.
Loosely associated with publicly reported Chinese cyberespionage groups such as **APT15** and **UNC5174**.
The activities span multiple partially related intrusions occurring between July 2024 and March 2025.
## Activity Summary
Observed and countered several intrusion and reconnaissance operations targeting SentinelOne and related entities between late 2024 and Q1 2025.
Specific activities include:
* **October 2024:** Reconnaissance operation targeting SentinelOne infrastructure.
* **Early 2025:** Identified and helped disrupt an intrusion linked to a wider **ShadowPad** operation targeting an IT services and logistics organization responsible for managing SentinelOne employee hardware.
* The clusters span numerous intrusions/activities between July 2024 and March 2025, involving extensive remote reconnaissance against Internet-facing SentinelOne servers.
* The overall objective appears to be establishing strategic footholds, potentially to compromise downstream entities (cybersecurity vendors).
## Tactics, Techniques & Procedures
- Extensive remote reconnaissance of Internet-facing servers.
- Exploitation/Intrusion leveraging third-party service providers (IT logistics organization).
- Use of known malware families associated with wider operations (ShadowPad).
- Mapping and evaluating the availability of select Internet-facing servers in preparation for future actions.
## Targeting
- **Sectors:** Cybersecurity Vendors (SentinelOne itself), South Asian Government Entity, European Media Organization, and 70+ organizations across a wide range of sectors.
- **Geography:** Global, evidenced by targets including a South Asian government entity and a European media organization.
- **Victims:** SentinelOne (targeted for reconnaissance and via third-party logistics provider), a South Asian government entity, a European media organization.
## Tools & Infrastructure
- **Malware families used:** **ShadowPad** (linked to one intrusion event).
- **Infrastructure (C2, domains, IPs):**
- C2 server: 128.199.124[.]136
- C2 server: 142.93.212[.]42
- Suspected PurpleHaze infrastructure: 142.93.214[.]219
- GOREshell C2 server: 143.244.137[.]54
- Suspected PurpleHaze infrastructure: 45.13.199[.]209
- Exfiltration IP address: 65.38.120[.]110
- ShadowPad C2 server: 65.38.120[.]110
- Exfiltration URL: hxxps://45.13.199[.]209/rss/rss.php
## Implications
China-nexus actors maintain persistent interest in targeting high-value organizations, specifically **cybersecurity vendors**, due to their potential for broad access to client environments and operational disruption. The use of supply chain vectors (targeting IT logistics providers) demonstrates proactive efforts to gain initial access.
## Mitigations
- Continuous monitoring of network traffic to Internet-exposed assets for reconnaissance activities.
- Thorough investigation and scrutiny of third-party service providers, especially those handling critical hardware or logistics for internal staff (supply chain risk management).
- Hardening and close monitoring of Internet-facing infrastructure for mapping and probing activities.