SentinelOne, a leading cybersecurity company, has uncovered a China-linked threat cluster called PurpleHaze that has conducted reconnaissance attacks on its infrastructure and some of its high-value customers.
In an analysis published Monday, SentinelOne researchers Tom Hegel, Aleksandar Milenkoski, and Jim Walter revealed that the threat actor, PurpleHaze, first emerged during a 2024 breach involving a company providing hardware logistics services for SentinelOne employees.
PurpleHaze is believed to be connected to another state-sponsored hacking group, APT15, which is also tracked by various names such as Flea, Nickel, Royal APT, Vixen Panda, and Nylon Typhoon. The group has been linked to multiple cyber-espionage activities, including targeting an unnamed South Asian government entity in October 2024.
This attack utilized a Windows backdoor called GoReShell, written in the Go programming language, which leveraged a reverse SSH connection to enable the attacker to control compromised endpoints.
PurpleHaze also used an ORB network to help evade detection and attribution, further complicating efforts to track the activities of these cybercriminals. According to the researchers, this type of network is gaining popularity among espionage groups because of its dynamic nature, allowing attackers to quickly expand their infrastructure.
ShadowPad Backdoor and Ransomware Use
Further analysis revealed that the same government entity targeted in October 2024 had previously been attacked with ShadowPad (also known as PoisonPlug) in June 2024. This backdoor is known to be widely used by China-linked espionage groups and is considered a successor to PlugX. The ShadowPad tool has also recently been seen being repurposed for ransomware attacks, raising questions about the motivations behind these attacks.
Additionally, the ShadowPad malware used in these attacks was found to be obfuscated with a custom compiler called ScatterBrain. This specific malware variant is believed to have compromised over 70 organizations across various sectors, including government, finance, telecommunications, and research.
Among the victims of these campaigns was the organization responsible for managing hardware logistics for SentinelOne. While SentinelOne confirmed that no secondary compromise of its infrastructure occurred, this incident highlights the growing cybersecurity threats faced by companies worldwide.
In addition to China-based cyber actors, SentinelOne also observed North Korea-aligned IT workers attempting to infiltrate the company by creating over 360 fake personas and submitting 1,000+ job applications. These efforts were part of broader espionage campaigns targeting high-tech companies.
Moreover, ransomware groups have also set their sights on enterprise security platforms, including SentinelOne, in an attempt to test their ability to bypass endpoint detection and response (EDR) tools. These efforts are fueled by the underground economy that thrives on buying, selling, and renting access to enterprise-level security platforms.
The Rise of “EDR Testing-as-a-Service”
A new form of cyberattack known as EDR Testing-as-a-Service is also gaining traction in the underground community. This service allows attackers to test their malicious payloads against different EDR platforms in semi-private environments, increasing the success rate of real-world cyberattacks. These platforms provide a critical testing ground where hackers can fine-tune their tools without exposing them to detection.
One ransomware group that has raised concerns is Nitrogen, believed to be operated by a Russian national. Unlike traditional tactics, Nitrogen uses sophisticated social engineering techniques to impersonate legitimate companies. The group sets up lookalike domains and spoofed email addresses to purchase official licenses for EDR and other security products, often exploiting the weak Know Your Customer (KYC) practices of small resellers.
This method enables Nitrogen to bypass security checks and gain access to critical security platforms, increasing the group’s chances of successfully bypassing protections.
As cybersecurity threats evolve, companies like SentinelOne must stay vigilant against state-sponsored espionage and ransomware groups employing new tactics. The growing use of EDR Testing-as-a-Service and social engineering tactics by ransomware operators highlights the need for continuous adaptation in the cybersecurity landscape.
