Full Report
Researchers from SentinelOne have linked the PurpleHaze and ShadowPad activity clusters to China-aligned threat actors with high confidence.... The post SentinelOne links ShadowPad and PurpleHaze attacks to China-aligned threat actors appeared first on Industrial Cyber.
Analysis Summary
# Threat Actor: PurpleHaze / ShadowPad Clusters (China-Nexus)
## Attribution & Identity
Attributed with high confidence to China-aligned threat actors (China-nexus operations). Tentatively associated with threat clusters overlapping suspected Chinese cyberespionage teams known as APT15 and UNC5174. The activity is part of a broader campaign involving the PurpleHaze and ShadowPad clusters.
## Activity Summary
The investigation covers activity spanning from July 2024 to March 2025, involving partially related intrusions.
* **Reconnaissance:** SentinelLABS identified and thwarted a reconnaissance operation targeting SentinelOne infrastructure in October 2024, linked to the broader PurpleHaze cluster.
* **ShadowPad Campaign:** Disrupted an intrusion in early 2025 tied to a larger ShadowPad campaign, affecting a third-party organization managing hardware logistics for SentinelOne staff.
* **Targeting of South Asian Government:** Observed ShadowPad malware activity in June 2024 targeting a South Asian government agency responsible for IT infrastructure and services.
* **Broader Campaign:** Analysis of ShadowPad samples revealed over 70 global victims across various sectors between July 2024 and March 2025.
## Tactics, Techniques & Procedures
- Use of ShadowPad modular backdoor platform.
- ShadowPad samples obfuscated using a variant of ScatterBrain, an evolution of the ScatterBee obfuscation mechanism.
- Observed activity involving the chained exploitation of CVE-2024-8963 and CVE-2024-8190 (activities noted in September 2024 reports by other agencies).
- UNC5174 associated activity involved exploiting CVE-2023-46747 and CVE-2024-1709, deploying the GOREVERSE publicly available backdoor (linked to the GOREshell malware cluster).
- Activities often appear focused on mapping and evaluating the availability of Internet-facing servers (reconnaissance).
## Targeting
- **Sectors:** Manufacturing, government, finance, telecommunications, research, and cybersecurity vendors (including SentinelOne itself).
- **Geography:** Global scope, with specific mention of a South Asian government entity and a European media organization.
- **Victims:** A South Asian government entity, a European media organization, over 70 organizations globally, and an IT services/logistics company serving SentinelOne staff.
## Tools & Infrastructure
- **Malware families used:** ShadowPad (modular backdoor), GOREVERSE (publicly available backdoor associated with GOREshell).
- **Infrastructure (C2, domains, IPs - defang URLs):** Not explicitly detailed, but netflow data was used to uncover victims. Infrastructure involved in the reconnaissance activity was identified and mapped by researchers.
## Implications
The persistent targeting of cybersecurity vendors highlights a sophisticated focus by China-nexus actors on supply chain compromise and gathering intelligence on peers within the cybersecurity industry. The scope of the ShadowPad campaign suggests broad, long-term cyberespionage operations globally. The use of advanced obfuscation (ScatterBrain) indicates a commitment to evasion.
## Mitigations
- Prioritize continuous monitoring of Internet-exposed assets for reconnaissance activity.
- Robust response capabilities and rapid detection mechanisms are crucial, especially for vendors supporting critical infrastructure or sensitive clients.
- Increase vigilance regarding supply chain components, particularly third-party logistics or hardware providers, as seen in the affected logistics company.
- Defenders should prioritize transparency and intelligence sharing regarding IOCs related to these campaigns to foster coordinated action.