Full Report
Cybersecurity company SentinelOne has revealed that a China-nexus threat cluster dubbed PurpleHaze conducted reconnaissance attempts against its infrastructure and some of its high-value customers. "We first became aware of this threat cluster during a 2024 intrusion conducted against an organization previously providing hardware logistics services for SentinelOne employees," security
Analysis Summary
# Threat Actor: PurpleHaze
## Attribution & Identity
* **Identification:** China-nexus threat cluster.
* **Aliases and Associations:** Assessed to have loose ties to state-sponsored group **APT15**.
* **APT15 Aliases:** Flea, Nylon Typhoon (formerly Nickel), Playful Taurus, Royal APT, and Vixen Panda.
## Activity Summary
* Conducted reconnaissance attempts against SentinelOne infrastructure and some of its high-value customers.
* Observed conducting an intrusion against an organization that previously provided hardware logistics services for SentinelOne employees (2024).
* Observed targeting an unnamed South Asian government-supporting entity in October 2024.
* *Potential Overlap:* Connected to prior activity (June 2024) against the same South Asian entity using ShadowPad, possibly being the same actor.
## Tactics, Techniques & Procedures
* Used an **Operational Relay Box (ORB) network** to create dynamic and challenging-to-track infrastructure.
* Employed a custom Windows backdoor dubbed **GoReShell**, written in the Go programming language.
* GoReShell repurposes the open-source tool `reverse_ssh` to establish reverse SSH connections back to attacker-controlled endpoints.
* When targeting the South Asian entity in June 2024, the actor used **ShadowPad (aka PoisonPlug)**, often shared among China-nexus espionage groups.
* ShadowPad artifacts were obfuscated using a bespoke compiler named **ScatterBrain**.
* In older related intrusions (using ShadowPad), the actor likely exploited an N-day vulnerability in **CheckPoint gateway devices**.
## Targeting
* **Sectors:** Manufacturing, government, finance, telecommunications, and research sectors (based on associated ShadowPad activity impacting over 70 organizations).
* **Geography:** An unnamed South Asian country (government entity targeted).
* **Victims:** SentinelOne, SentinelOne high-value customers, an organization providing hardware logistics services for SentinelOne employees, and an unnamed South Asian government-supporting entity.
## Tools & Infrastructure
* **Malware Families:** GoReShell (Go-based backdoor), ShadowPad (PoisonPlug backdoor).
* **Infrastructure:** Operational Relay Box (ORB) network, reverse SSH connections.
* **Custom Tools:** ScatterBrain (compiler/obfuscator for ShadowPad).
* **URLs/IPs:** *None explicitly listed and defanged in the source text.*
## Implications
PurpleHaze utilizes sophisticated, modern infrastructure (ORB networks) to complicate attribution efforts typical of China-nexus espionage operations. The actor's use of custom tools like GoReShell and association with ShadowPad suggests a persistent, well-resourced cyber espionage motivation, potentially focusing on intellectual property or strategic intelligence gathering, especially given the targeting of government entities and critical sectors.
## Mitigations
* Monitor for the deployment and usage of Go-language backdoors, particularly those leveraging reverse SSH for command and control.
* Implement strict patch management, especially for edge devices like gateway appliances (e.g., CheckPoint), to prevent N-day exploitation.
* Analyze incoming payloads for obfuscation techniques, specifically looking for artifacts related to the ScatterBrain compiler if ShadowPad is suspected within the network.
* Investigate network traffic for evidence of operational relay box usage, which may manifest as unusually dynamic or rapidly changing C2 infrastructure patterns.