China-Backed Hackers Target SentinelOne, Part of Attack Spree - Dark Reading

Remote WorkforceThreat IntelligenceVulnerabilities & ThreatsCyberattacks & Data BreachesNewsChina-Backed Hackers Target SentinelOne in 'PurpleHaze' Attack SpreeKnown threat groups APT15 and UNC5174 unleashed attacks against SentinelOne and more than 70 other high-value targets, as part of ongoing cyber-espionage and other malicious activity involving ShadowPad malware.Elizabeth Montalbano,Contributing WriterJune 9, 20254 Min ReadSource: Shane Stickley via Alamy Stock PhotoThreat actors from China targeted a security vendor as part of a spree of attacks against various organizations that occurred in an eight-month period starting last July. Two separate attacks that involved AI-powered security provider SentinelOne included network reconnaissance and an attempt to intrude on the company's network through a third-party service provider, and are part of a range of malicious activities against security companies.SentinelOne's threat research arm SentineLabs, which revealed the activities in a blog post published today, attribute the intrusions to an activity cluster they track as PurpleHaze, as well as a wider ShadowPad operation. Two known China-backed threat actors, specifically those tracked as APT15 (aka Flea, Nickel, Vixen Panda, KE3CHANG, Royal APT, and Playful Dragon) and UNC5174, are the likely culprits behind the clusters of activity.The PurpleHaze activity, in which threat actors targeted SentineOne servers that could be reached via the Internet to conduct "extensive remote reconnaissance," occurred in October, SentinelLabs cybersecurity researchers wrote in the post. The second recent attack was related to ShadowPad, a backdoor malware, and occurred at the beginning of this year. During that attack, attackers targeted a third-party organization responsible for managing hardware logistics for SentinelOne employees at the time.Related:Zscaler-SquareX Deal Boosts Zero Trust, Secure Browsing Capabilities"We promptly informed the IT services and logistics organization of the intrusion details," the researchers wrote. "A thorough investigation into SentinelOne's infrastructure, software, and hardware assets found no evidence of compromise."SentinelOne remains unclear about whether the perpetrators' focus was solely on the targeted IT logistics organization or if they intended to establish a foothold to extend their reach to downstream organizations as well, the latter tactic being a hallmark of Chinese threat actor activity.Security Vendors in APT Threat SightsThe company said the threat activities reveal an aspect of the threat landscape that it believes has not received enough attention: the targeting of cybersecurity vendors."Cybersecurity companies are high-value targets for threat actors due to their protective roles, deep visibility into client environments, and ability to disrupt adversary operations," the researchers wrote. "Our objective is to contribute to strengthening industry defenses by promoting transparency and encouraging collaboration."APT15 has been active for more than 20 years off and on, but in the past several years has experienced a resurgence, with attacks against Chinese ethnic populations and foreign ministries in both North and South America. Meanwhile, UNC5174, previously identified by Mandiant, is believed to be a contractor working on behalf of the Chinese government to target Western countries, including the US, the UK, and Canada.Related:Torq Moves SOCs Beyond SOAR With AI-Powered Hyper AutomationEven as it was defending itself against attacks, SentinelOne also tracked scores of other intrusions by one or the other of the two aforementioned Chinese threat actors between last July and March of this year into the networks of various targets. Victims included a South Asian government entity, a European media organization, and more than 70 organizations across a wide range of sectors.ShadowPad, PurpleHaze Attack Cluster BreakdownOverall, the wider ShadowPad activity tracked by SentinelOne targeted about 70 organizations across sectors such as manufacturing, government, finance, telecommunications, and research. Once the activity was discovered, SentinelOne contacted its potentially affected customers, including the aforementioned logistics company with which it was working.Given that China-based actors typically deploy ShadowPad to conduct cyber-espionage activities, the researchers believe that this was the goal of the varied attacks. Other threat hunters from Trend Micro, Orange Cyberdefense, and Check Point previously documented some of the activity, including ShadowPad deployment linked to a NailoaLocker ransomware attack, according to the post.Related:'Stanley' Toolkit Turns Chrome Into Undetectable Phishing VectorThe PurpleHaze activity subset involved attacks on a South Asian government entity as well as the SentinelOne reconnaissance activity; both were likely the work of APT15. Attackers used backdoors previously classified as part of a malware cluster designated GOREshell, which SentinelOne previously observed in targeted attacks.PurpleHaze also included an attack on an unnamed, "leading" European media organization, in which the threat actor exploited two now-known Ivanti cloud vulnerabilities — CVE-2024-8963 and CVE-2024-8190 — as an attack chain a few days before they were publicly discovered. Attackers used the flaws to establish an initial foothold leveraged ORB network infrastructure, an intrusion method associated with a pattern of attack used by UNC5174, according to the researchers.Break the Stigma for Coordinated Incident ResponseOverall, the findings of a constant barrage by China-backed actors underscore the critical need for organizations, including cybersecurity vendors, to remain vigilant, practice robust monitoring, and employ rapid response capabilities to defend against attacks, according to SentinelOne.The researchers also promoted similar transparency and intelligence sharing from peers targeted by China-backed actors, encouraging cybersecurity companies to come forward to promote "coordinated action over the fear of reputational harm," they wrote."By publicly sharing details of our investigations," they wrote, "we aim to provide insight into the rarely discussed targeting of cybersecurity vendors, helping to destigmatize sharing of [indicators of compromise] related to these campaigns, and thus contribute to a deeper understanding of the tactics, objectives, and operational patterns of China-nexus threat actors."About the AuthorElizabeth MontalbanoContributing WriterElizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.See more from Elizabeth MontalbanoMore InsightsIndustry ReportsFrost Radar™: Non-human Identity Solutions2026 CISO AI Risk ReportThe ROI of AI in SecurityCybersecurity Forecast 2026ThreatLabz 2025 Ransomware ReportAccess More ResearchWebinarsBuilding a Robust SOC in a Post-AI WorldRetail Security: Protecting Customer Data and Payment SystemsRethinking SSE: When Unified SASE Delivers the Flexibility Enterprises NeedSecuring Remote and Hybrid Work Forecast: Beyond the VPNAI-Powered Threat Detection: Beyond Traditional Security ModelsMore WebinarsEditor's ChoiceCybersecurity OperationsWhy Stryker's Outage Is a Disaster Recovery Wake-Up CallWhy Stryker's Outage Is a Disaster Recovery Wake-Up CallbyJai VijayanMar 12, 20265 Min ReadWant more Dark Reading stories in your Google search results?2026 Security Trends & OutlooksThreat IntelligenceCybersecurity Predictions for 2026: Navigating the Future of Digital ThreatsJan 2, 2026Cyber RiskNavigating Privacy and Cybersecurity Laws in 2026 Will Prove DifficultJan 12, 2026|7 Min ReadEndpoint SecurityCISOs Face a Tighter Insurance Market in 2026Jan 5, 2026|7 Min ReadThreat Intelligence2026: The Year Agentic AI Becomes the Attack-Surface Poster ChildJan 30, 2026|8 Min ReadDownload the CollectionKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeWebinarsBuilding a Robust SOC in a Post-AI WorldThurs, March 19, 2026 at 1pm ESTRetail Security: Protecting Customer Data and Payment SystemsThurs, April 2, 2026 at 1pm ESTRethinking SSE: When Unified SASE Delivers the Flexibility Enterprises NeedWed, April 1, 2026 at 1pm ESTSecuring Remote and Hybrid Work Forecast: Beyond the VPNTues, March 10, 2026 at 1pm ESTAI-Powered Threat Detection: Beyond Traditional Security ModelsWed, March 25, 2026 at 1pm ESTMore WebinarsWhite PapersAutonomous Pentesting at Machine Speed, Without False PositivesFixing Organizations' Identity Security PostureBest practices for incident response planningIndustry Report: AI, SOC, and Modernizing CybersecurityThe Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks.Explore More White PapersGISEC GLOBAL 2026GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills.📌 Book Your Space