Cybersecurity firm SentinelOne has issued a warning about the growing threat of China-linked APT (Advanced Persistent Threat) groups targeting its systems, high-value clients, and even its own employees. The company's SentinelLABS division discovered that the sophisticated group, tracked as PurpleHaze, had attempted reconnaissance on SentinelOne's infrastructure and high-profile clients.
In June 2024, PurpleHaze was first identified by SentinelLABS during a series of intrusions into a former hardware logistics provider for its employees. The group has since been linked to multiple high-value targets across various sectors. Furthermore, an analysis of threat actor activity suggests that PurpleHaze's tactics and tools are strongly reminiscent of APT15 (also known as Nylon Typhoon, Ke3chang, Mirage, Vixen Panda, Royal APT, and Playful Dragon), a well-established China-linked cyberespionage group.
PurpleHaze leverages an extensive infrastructure network, including Operational Relay Boxes (ORBs) and a Windows-based backdoor called GoReShell. These tools demonstrate strong links to Chinese APT patterns, making it challenging for security professionals to attribute the attacks with confidence. The group's use of dynamic ORB networks and obfuscated Go-based malware aligns with broader Chinese APT patterns.
SentinelLABS attributes these campaigns to a China-nexus actor with high confidence. The attack highlights the growing threat of supply chain risks and persistent cyberespionage efforts from China-linked actors. Additionally, the company discovered that PurpleHaze had attempted to conduct reconnaissance on SentinelOne's systems approximately four months prior to targeting its infrastructure.
Recent ShadowPad activity has also included the deployment of ransomware, with motives remaining unclear. The malware is a modular backdoor platform used by multiple suspected China-nexus threat actors for cyberespionage purposes. SentinelLABS detected this malware in the retrieved artifacts from an investigation into a South Asian government entity that was targeted in October 2024.
In a surprising turn of events, SentinelOne reported that approximately 360 fake personas made over 1,000 job applications to the company. These actors, linked to North Korea, were attempting to infiltrate the security firm's SentinelLabs intelligence engineering team.
The report concludes that financially motivated threat actors often target enterprise security tools like SentinelOne to gain privileged access, disable defenses, and test malware. Groups such as Black Basta are increasingly testing multiple security platforms before launching attacks, highlighting a growing trend in strategic threat actor operations.
As the threat landscape continues to evolve, the role of Cyber Threat Intelligence (CTI) in anticipating and disrupting these tactics has become more critical than ever. The case highlights the importance of internal talent acquisition and insider threat defense strategies for security firms like SentinelOne.