Full Report
The reconnaissance activity targeting American cybersecurity company SentinelOne was part of a broader set of partially-related intrusions into several targets between July 2024 and March 2025. "The victimology includes a South Asian government entity, a European media organization, and more than 70 organizations across a wide range of sectors," security researchers Aleksandar Milenkoski and Tom
Analysis Summary
# Threat Actor: PurpleHaze (China-Nexus Activity)
## Attribution & Identity
* **Attribution:** High confidence attribution to China-nexus threat actors.
* **Known Aliases/Associations:** Linked to the threat cluster **PurpleHaze**. Overlaps publicly reported Chinese cyber espionage groups APT15 and UNC5174 (also known as Uteus or Uetus). Activity F is attributed to a China-nexus actor with loose affiliations to initial access broker UNC5174.
## Activity Summary
The activity described encompasses several partially-related intrusions across six different activity clusters (A to F) spanning from June 2024 to March 2025.
* **June 2024 (Activity A):** Intrusion into an unnamed South Asian government entity, leading to the deployment of ShadowPad obfuscated with ScatterBrain.
* **Late September 2024 (Activity F):** Intrusion into a leading European media organization.
* **October 2024 (Activity D & E):**
* Second intrusion into the same South Asian government entity, dropping GoReShell.
* Reconnaissance activity targeting SentinelOne servers (tracked as Activity E, grouped under PurpleHaze).
* **Early 2025 (Activity C):** Intrusion into an IT services and logistics company managing hardware logistics for SentinelOne employees.
* **July 2024 – March 2025 (Activity B):** A set of global intrusions across many sectors.
## Tactics, Techniques & Procedures
* **Initial Foothold:** Exploitation of **CVE-2024-8963** and **CVE-2024-8190** to establish an initial foothold, occurring just before public disclosure of these vulnerabilities.
* **Infrastructure:** Use of **ORB (operational relay box)** network infrastructure, assessed to be operated from China.
* **Malware Deployment:**
* Deployment of obfuscated **ShadowPad** (leveraging ScatterBrain).
* Deployment of a Go-based reverse shell named **GoReShell** (uses SSH for C2).
* Use of tools developed by **The Hacker's Choice (THC)**, marking the first reported state-sponsored abuse of their software.
* **Post-Compromise:** In one instance, UNC5174 is suspected of transferring access to other threat actors after compromise.
## Targeting
* **Sectors:** Government, media, manufacturing, finance, telecommunications, research, and IT services/logistics.
* **Geography:** A South Asian government entity, a European media organization, and global organizations (Activity B).
* **Victims:** An unnamed South Asian government entity (targeted twice), a leading European media organization, an IT services and logistics company (which managed SentinelOne hardware logistics), and SentinelOne (reconnaissance). Over 70 organizations were targeted in Activity B.
## Tools & Infrastructure
* **Malware families used:** ShadowPad (obfuscated with ScatterBrain), GoReShell (Go-based reverse shell), NailaoLocker (linked via ShadowPad infrastructure overlap).
* **Infrastructure:** ORB (operational relay box) network infrastructure operated from China.
## Implications
This campaign demonstrates sophisticated, multi-stage espionage efforts utilizing zero-day or N-day exploits (exploiting CVE-2024-8963/8190 prior to disclosure) against high-value targets globally. The actor demonstrates supply chain awareness (targeting the logistics provider for SentinelOne) and a willingness to pivot or share access with other groups after gaining initial compromise (UNC5174 suspected of transfer). The use of third-party security tooling (THC tools) in a state-sponsored context is a notable indicator.
## Mitigations
* Urgent patching for **CVE-2024-8963** and **CVE-2024-8190**.
* Monitor for indicators related to ShadowPad, GoReShell, and associated infrastructure.
* Implement strict monitoring and segmentation around internet-facing services, especially those related to specialized hardware logistics or supply chain partners.
* Review network logs for the use of software developed by The Hacker's Choice (THC) tools on production systems.