Cybersecurity firm SentinelOne has identified a sophisticated cyber-espionage campaign attributed to a China-linked threat cluster known as “PurpleHaze.” This group has been conducting reconnaissance operations against SentinelOne’s infrastructure and several of its high-value clients.
Discovery and Attribution
The PurpleHaze group came to SentinelOne’s attention following a 2024 intrusion into an organization that previously provided hardware logistics services for SentinelOne employees. PurpleHaze is believed to have associations with the state-sponsored group APT15, also known by aliases such as Flea, Nylon Typhoon, Playful Taurus, Royal APT, and Vixen Panda.
Tactics and Tools
In October 2024, PurpleHaze targeted a South Asian government-supporting entity using an operational relay box (ORB) network and a Windows backdoor named “GoReShell.” GoReShell, written in the Go programming language, repurposes the open-source tool “reverse_ssh” to establish reverse SSH connections to attacker-controlled endpoints.
The use of ORB networks allows for rapid expansion and dynamic infrastructure, complicating efforts to track and attribute cyber-espionage activities. Further analysis revealed that the same South Asian entity was previously targeted in June 2024 with ShadowPad (also known as PoisonPlug), a backdoor widely used among China-nexus espionage groups. These ShadowPad artifacts were obfuscated using a custom compiler called “ScatterBrain.”
Impact and Scope
The ScatterBrain-obfuscated ShadowPad has been employed in intrusions affecting over 70 organizations across sectors such as manufacturing, government, finance, telecommunications, and research. These attacks likely exploited known vulnerabilities in Check Point gateway devices.
One of the victims included an organization responsible for managing hardware logistics for SentinelOne employees. However, SentinelOne reported no evidence of a secondary compromise within its own systems.
Broader Threat Landscape
SentinelOne also observed attempts by North Korea-aligned IT workers to infiltrate the company, including its SentinelLabs intelligence engineering team. These attempts involved approximately 360 fake personas and over 1,000 job applications.
Additionally, ransomware operators have targeted SentinelOne and other enterprise-focused security platforms to assess their tools’ detection capabilities. An underground economy has emerged around “EDR Testing-as-a-Service,” enabling attackers to fine-tune malware against endpoint protection platforms without exposure.
One notable ransomware group, “Nitrogen,” believed to be operated by a Russian national, impersonates legitimate companies by setting up lookalike domains and spoofed infrastructure. This strategy allows them to purchase official licenses for EDR and other security products, exploiting resellers’ inconsistent Know Your Customer (KYC) practices.
Conclusion
The activities of PurpleHaze and associated threat actors highlight the evolving tactics of state-sponsored cyber-espionage groups. Organizations are urged to bolster their cybersecurity measures, conduct regular audits, and remain vigilant against sophisticated intrusion attempts.