An extensive cyber espionage campaign, attributed to threat actors with ties to China, has compromised over 70 organizations spanning various sectors globally, according to cybersecurity firm SentinelOne. The intrusions occurred between July 2024 and March 2025 and affected entities in manufacturing, government, finance, telecommunications, and research. Victims also included a European media outlet, a South Asian government agency, and an IT services firm responsible for managing hardware logistics for SentinelOne.
SentinelOne researchers Aleksandar Milenkoski and Tom Hegel revealed that these incidents are linked to a China-based cyber group known as PurpleHaze, which overlaps with previously identified threat clusters APT15 and UNC5174. The attacks have been organized into six distinct clusters, ranging from initial reconnaissance to full-scale intrusions, dating back to June 2024.
The campaign was uncovered when SentinelOne detected scanning activity on its internet-facing servers. Though initially limited to reconnaissance, the actions suggested preparatory steps for more invasive operations. The researchers emphasized that the ultimate intent remains unclear, but the breadth and sophistication of the campaign point to a well-orchestrated effort with possible state sponsorship.
Attack Patterns Point to China-Based Infrastructure and Sophisticated Tooling
The cyber intrusions involved a variety of custom tools and exploits. One early attack in June 2024 on a South Asian government entity deployed ShadowPad, a known malware platform, obscured using a method called ScatterBrain. This technique has been seen in other campaigns that deployed the ransomware NailaoLocker. In a follow-up attack in October 2024, the same organization was infected with GoReShell, a Go-based reverse shell using SSH for remote access. This same backdoor was also used in a September 2024 attack on a leading European media outlet.
The Espionage Campaign shared another striking feature: they incorporated tools created by a group of ethical hackers known as The Hacker’s Choice (THC). SentinelOne noted this as the first documented instance of THC-developed tools being misused by state-sponsored actors. SentinelOne has tied these particular intrusions labeled Activities D, E, and F to the PurpleHaze group.
Notably, the attackers exploited vulnerabilities CVE-2024-8963 and CVE-2024-8190 to gain access before these security flaws were publicly announced. The operational relay box (ORB) infrastructure used for communication was reportedly controlled from China, adding further weight to the attribution.
Concerns Over Supply Chain and Initial Access Brokering
Of special concern was the breach of the IT services and logistics company supporting SentinelOne in early 2025, which raised alarms about potential supply chain vulnerabilities. SentinelOne is also tracking ties to an “initial access broker” identified by Google Mandiant as UNC5174 (also known as Uteus or Uetus). This group was recently connected to the exploitation of SAP NetWeaver vulnerabilities, which were used to deploy a GoReShell variant named GOREVERSE.
While it remains unclear if the ultimate aim was solely to compromise SentinelOne or if the attackers intended to move laterally into downstream organizations, the pattern of access brokering and malware deployment points to a coordinated cyber-Espionage Campaign strategy.
As investigations continue, SentinelOne and global cybersecurity experts are urging organizations across sectors to enhance monitoring of external-facing servers and remain vigilant against similar sophisticated threats linked to state-backed adversaries.
