A recent cybersecurity incident involving American company SentinelOne has been linked to a broader series of related intrusions that occurred between July 2024 and March 2025.
According to a report published by SentinelOne security researchers Aleksandar Milenkoski and Tom Hegel, the targeted entities include a South Asian government entity, a European media organization, and over 70 organizations across various sectors, such as manufacturing, government, finance, telecommunications, and research.
Notably, an IT services and logistics company managing hardware logistics for SentinelOne employees was also compromised at the beginning of 2025. The malicious activity has been attributed with high confidence to China-nexus threat actors, with some attacks tied to a threat cluster known as PurpleHaze, which overlaps with Chinese cyber espionage groups APT15 and UNC5174.
In April 2024, SentinelOne initially disclosed PurpleHaze-related reconnaissance activity targeting some of its servers that were intentionally left accessible over the internet due to their functionality. The threat actor’s activities were limited to mapping and evaluating the availability of select internet-facing servers, likely in preparation for potential future actions.
The current investigation has uncovered six different activity clusters, named A to F, dating back to June 2024, when an unnamed South Asian government entity was compromised. These clusters include:
- Activity A: An intrusion into a South Asian government entity (June 2024)
- Activity B: A set of intrusions targeting organizations globally (Between July 2024 and March 2025)
- Activity C: An intrusion into an IT services and logistics company (at the beginning of 2025)
- Activity D: An intrusion into the same South Asian government entity compromised (October 2024)
- Activity E: Reconnaissance activity targeting SentinelOne servers (October 2024)
- Activity F: An intrusion into a leading European media organization (late September 2024)
The June 2024 attack against the government entity led to the deployment of ShadowPad, obfuscated using ScatterBrain, which overlaps with recent ShadowPad campaigns delivering the NailaoLocker ransomware family following the exploitation of Check Point gateway devices.
Subsequently, in October 2024, the same organization was targeted to drop a Go-based reverse shell dubbed GoReShell, which uses SSH to connect to an infected host. This backdoor was also used in connection with a September 2024 attack aimed at a leading European media organization.
The threat actors utilized tools developed by The Hacker’s Choice (THC), marking the first time THC’s software has been abused by state-sponsored actors.
SentinelOne attributed Activity F to a China-nexus actor with loose affiliations to an initial access broker tracked by Google Mandiant as UNC5174. The threat group was recently linked to the active exploitation of SAP NetWeaver flaws to deliver GOREVERSE, a variant of GoReShell.
“The threat actor leveraged operational relay box (ORB) network infrastructure, which we assess to be operated from China, and exploited the CVE-2024-8963 vulnerability, along with CVE-2024-8190, to establish an initial foothold, a few days before the vulnerabilities were publicly disclosed,” the researchers said. “After compromising these systems, UNC5174 is suspected of transferring access to other threat actors.”
