SentinelOne has uncovered a wide-reaching Chinese espionage campaign that aimed to infiltrate its infrastructure and spy on some of its most valuable clients. The cybersecurity company revealed that a threat group known as PurpleHaze was behind the reconnaissance attempts.
According to security researchers Tom Hegel, Aleksandar Milenkoski, and Jim Walter, the threat first came to light during a 2024 breach involving a company that previously provided hardware logistics services for SentinelOne employees. In their detailed analysis released on Monday, the researchers outlined how PurpleHaze orchestrated its attacks.
PurpleHaze is believed to have loose connections with APT15, a known Chinese state-sponsored group that operates under various names, including Flea, Nylon Typhoon (formerly Nickel), Playful Taurus, Royal APT, and Vixen Panda.
Beyond targeting SentinelOne’s network, PurpleHaze was also spotted infiltrating a government-supporting entity in South Asia in October 2024. They deployed an Operational Relay Box (ORB) network alongside a custom Windows backdoor called GoReShell. Written in the Go programming language, GoReShell repurposes the open-source reverse_ssh tool, enabling attackers to create hidden connections back to their own systems.
The researchers pointed out that ORB networks are becoming a growing weapon of choice for cyber espionage groups. Their ability to rapidly expand and shift makes tracking attacks — and attributing them — significantly more difficult.
Links to Previous Cyber Intrusions
The same South Asian entity targeted by PurpleHaze had previously suffered an attack in June 2024 involving ShadowPad, another notorious Chinese backdoor. ShadowPad, often described as the successor to PlugX, has become widely popular among Chinese espionage groups.
While ShadowPad has recently been used to deliver ransomware, it’s unclear whether espionage or financial gain was the main objective in this case. The malware artifacts found were heavily obfuscated using a custom compiler known as ScatterBrain, complicating forensic analysis.
Although the direct connection between the June and October attacks isn’t fully confirmed, SentinelOne’s team suspects that PurpleHaze may be responsible for both incidents.
Evidence shows that the ScatterBrain-obfuscated ShadowPad has been deployed in breaches affecting over 70 organizations across industries such as manufacturing, government, finance, telecom, and research. In many cases, attackers exploited an N-day vulnerability in CheckPoint gateway devices to gain initial access.
SentinelOne Under Fire From Multiple Threats
One of the victims of the ShadowPad attacks included the same hardware logistics provider that serviced SentinelOne employees. However, the cybersecurity firm emphasized that it found no evidence of further breaches stemming from that incident.
Beyond China, SentinelOne has also faced threats from other nation-state actors. The company reported attempts by North Korea-aligned IT workers to infiltrate its teams — including the SentinelLabs intelligence group — by submitting over 1,000 job applications using around 360 fake personas.
In another alarming trend, ransomware groups are increasingly targeting SentinelOne and other major security vendors. Their goal? To gain access to enterprise-grade tools and test their malware against top-tier detection systems.
A thriving underground economy has emerged to support this practice. Cybercriminals now actively trade, rent, and buy access to enterprise security platforms across dark web forums like XSS[.]is, Exploit[.]in, and RAMP. A new black-market service called “EDR Testing-as-a-Service” even allows attackers to quietly refine their malware payloads against popular security tools — dramatically boosting their chances of slipping past defenses in real-world attacks.
While these testing platforms don’t offer full access to Endpoint Detection and Response (EDR) consoles, they do create semi-private environments where malware can be tuned with minimal risk of exposure.
Nitrogen Raises the Stakes with Corporate Impersonation
Among the various ransomware groups active today, Nitrogen stands out for taking this strategy even further. Believed to be operated by a Russian national, Nitrogen doesn’t just steal credentials or hunt for insiders. Instead, it impersonates legitimate companies.
By registering lookalike domains, spoofing email addresses, and building cloned infrastructure, Nitrogen convincingly poses as real businesses. This deception allows them to purchase genuine licenses for EDR and security software directly — bypassing traditional defenses.
According to SentinelOne’s researchers, this kind of social engineering is carried out with remarkable precision. Nitrogen typically targets smaller, less scrutinized resellers that have inconsistent Know Your Customer (KYC) processes, making it easier to slip through the cracks unnoticed.
As these attacks become more sophisticated, SentinelOne’s findings reveal just how dynamic and dangerous the global cybersecurity landscape has become — and why vigilance is more critical than ever in defending against evolving threats like the Chinese espionage campaign led by PurpleHaze.
