Chinese-Linked Hackers Targeted 70+ Global Organizations, SentinelLABS

SentinelLABS uncovers widespread China-linked cyber espionage targeting over 70 global organizations and cybersecurity firms between July 2024 and March 2025. Learn about the “PurpleHaze (aka Vixen Panda)” and “ShadowPad” operations and the persistent threats.

A new report from cybersecurity firm SentinelLABS has exposed a wide-reaching campaign of cyberattacks, strongly believed to originate from China. These activities, which took place from July 2024 to March 2025, were aimed at numerous organizations globally, including government agencies, media companies, and, notably, SentinelOne.

While the scale of the attacks was significant, SentinelLABS has confirmed that its own infrastructure remained uncompromised. Reportedly, in October 2024, SentinelLABS detected early probing activities targeting SentinelOne’s internet-accessible systems. This was part of a larger cluster of suspicious activities they named PurpleHaze (aka Vixen Panda)“.

Later, in early 2025, SentinelLABS assisted in stopping a separate intrusion. This incident was connected to a broader operation called “ShadowPad” and impacted a company responsible for managing computer equipment for SentinelOne’s staff. In both scenarios, extensive checks by SentinelLABS confirmed that SentinelOne’s own network, software, and devices were not compromised.

The combined PurpleHaze and ShadowPad efforts did not stop there. They affected over 70 different organizations across the world, including a government entity in South Asia and a major European media organization. Beyond these, a wide array of businesses in manufacturing, finance, telecommunications, and research were also impacted.

SentinelLABS has confidently linked these coordinated attacks to what they term “China-nexus threat actors.” These are groups suspected of having strong ties to the Chinese government’s spying programs. The investigation found connections between some PurpleHaze intrusions and well-known Chinese cyber espionage groups, specifically APT15 and UNC5174.

The hackers used a variety of advanced tools and techniques. A key piece of malicious software was ShadowPad, described as a “closed-source modular backdoor platform” often used by these Chinese-linked groups to spy and gain remote access. Another tool, part of the GOREshell family, which includes reverse_ssh backdoor variants were also deployed.

These groups frequently utilized Operational Relay Box (ORB) networks, a method that allows them to create a constantly changing network of control points, making their activities harder to track and identify.

They also took advantage of specific software weaknesses, such as CVE-2024-8963 and CVE-2024-8190, sometimes even exploiting them before these vulnerabilities were publicly disclosed. Furthermore, some attacks involved publicly available tools from The Hacker’s Choice (THC), a community of cybersecurity researchers.

Craig Jones, Vice President of Security Operations at Ontinue, a Redwood City, Calif.-based managed detection and response (MDR) provider commented on the latest development stating, “What SentinelOne is seeing now is classic China-nexus activity, it echoes exactly what was tracked during the Pacific Rim attacks when I led the defence activity at Sophos.“

“Back then, we saw the same playbook: highly targeted operations, stealthy implants on edge devices, and a relentless focus on long-term access to high-value infrastructure. This isn’t new, it’s a continuation of a well-honed strategy,“ Craig added.

These detailed findings highlight the sophisticated and persistent nature of these state-sponsored operations and emphasize the critical need for constant monitoring across all sectors.

(Image by Monica Volpin from Pixabay)