Inside PurpleHaze: How China-Linked Hackers Mapped and Probed a Cybersecurity Giant

In a startling revelation that exposes the fragile interdependence of cybersecurity infrastructure, SentinelOne disclosed that its security researchers had identified and thwarted multiple espionage campaigns by China-linked threat actors targeting not just global public and private entities—but SentinelOne itself.

The operation, which spans from mid-2024 to early 2025, is tied to activity clusters SentinelLabs has dubbed PurpleHaze and ShadowPad. These overlapping campaigns reflect the evolution of Chinese state-aligned cyberespionage, demonstrating increasingly strategic interest in breaching the companies responsible for defending the digital world.

Cybersecurity Vendors: The New Prime Targets

“The persistent interest in cybersecurity vendors highlights how threat actors view us not only as protectors but also as potential avenues into much bigger targets,” SentinelOne's threat intelligence researchers stated. It's a rare look into the reality cybersecurity companies face—targeted not just by profit-driven cybercriminals, but by nation-state actors looking to compromise defenders themselves.

While the attacks were ultimately unsuccessful in breaching SentinelOne’s infrastructure, the reconnaissance was sophisticated. The attackers probed internet-facing servers, studied infrastructure footprints, and even breached an external logistics provider responsible for managing SentinelOne hardware. No data exfiltration was observed, but the implications are chilling.

ShadowPad: Global Reach, Surgical Precision

The ShadowPad cluster was first observed in June 2024 targeting a South Asian government agency. But the full picture quickly expanded. By analyzing telemetry data and command-and-control infrastructure, SentinelLabs tracked ShadowPad activity across more than 70 victims in sectors ranging from finance to telecom. Among them: an IT logistics firm that managed SentinelOne’s hardware.

Researchers linked this wave to malware obfuscated using ScatterBrain and ScatterBee techniques—telltale signs of Chinese nexus threat groups such as APT41. ShadowPad, a modular backdoor known for its use in state-sponsored espionage, is believed to be maintained and deployed by contractors for China’s Ministry of State Security.

The group’s tools weren’t limited to Windows environments. Linux systems were targeted using cleverly disguised services. Across both platforms, persistence mechanisms, timestomping, and sophisticated cleanup routines show operational maturity.

PurpleHaze: GOREshell and Infrastructure Masquerades

Parallel to ShadowPad, a more recent cluster dubbed PurpleHaze emerged in September and October 2024. This cluster, loosely associated with APT15 and UNC5174, revealed a mix of novel malware, legitimate software repurposed for persistence, and clever use of operational relay box (ORB) networks.

Key to this cluster is GOREshell, a stealthy SSH-based backdoor observed in both Windows and Linux variants. It was deployed via DLL hijacking techniques using signed executables from VMware, which then side-loaded malicious libraries. These backdoors communicated over WebSockets to Chinese-controlled servers.

Researchers also uncovered a massive infrastructure mapping campaign directed at SentinelOne servers. The attackers employed spoofed domain names like sentinelxdr[.]us and downloads.trendav[.]vip, mimicking SentinelOne’s branding to monitor activity and perhaps prepare for deeper intrusion attempts.

One notable tactic: the chaining of zero-day vulnerabilities, specifically in Ivanti appliances, days before public disclosure. This rapid exploitation suggests a pipeline of fresh vulnerabilities and close collaboration between access brokers and espionage teams.

The Curious Case of THC Tools and dsniff’s Revival

The campaigns also signal an unusual evolution: the incorporation of tools maintained by the hacker collective The Hacker’s Choice (THC). Open-source projects like reverse_ssh and dsniff—long considered outdated—have resurfaced in highly targeted, nation-state operations. THC's influence extends beyond tooling: modified cleanup utilities like clear13 were used to wipe logs and obscure traces on compromised Linux systems.

This merging of open-source penetration tools with APT-level tradecraft reflects a growing trend where threat actors blur lines between public tooling and state-sponsored espionage, adding an extra layer of complexity for defenders.

Implications and Industry Call to Action

While no compromise of SentinelOne systems occurred, the incident serves as a stark reminder: cyber defense companies are no longer mere bystanders in geopolitical conflicts—they are now high-value targets.

SentinelOne emphasized that proactive monitoring and rapid incident response neutralized the threats. “Transparency and collaboration across the industry are vital,” a spokesperson said. “This is not just about protecting ourselves—it’s about ensuring the ecosystem remains resilient.”

Their findings align with other global alerts. CISA, FBI, ANSSI, and private vendors like Mandiant have independently flagged the same vulnerabilities and actors. This synchronization across threat intelligence circles highlights a rare moment of consensus: China-nexus espionage campaigns are growing bolder, more modular, and increasingly infrastructure-savvy.

Bottom Line

The exposure of PurpleHaze and ShadowPad isn’t just a victory lap for SentinelOne. It’s a sobering case study in how the guardians of cybersecurity must now guard themselves—not just against botnets or ransomware gangs, but against nation-state hackers with time, patience, and precision on their side.

As lines blur between defense and target, one truth is clear: no organization, not even the defenders, can afford to operate in isolation anymore.