75+ global orgs hit by suspected Chinese spy crew • The Register
An IT services company, a European media group, and a South Asian government entity are among the more than 75 companies where China-linked groups have planted malware to access strategic networks should a conflict break out.
SentinelLABS, the threat intel and research arm of security shop SentinelOne, uncovered these new clusters of malicious activity when the suspected Chinese spies tried to break into SentinelOne’s own servers in October.
“We tend to prioritize China, and seeing them start to poke at our own products, our own infrastructure, that immediately raises the red flag for us,” SentinelOne threat researcher Tom Hegel told The Register in a phone interview. While the attempted SentinelOne intrusion was unsuccessful, being the target of a Chinese reconnaissance campaign led the threat hunters into a deeper analysis of the broader campaign and malware used.
“We started to hunt for it globally, look at their infrastructure and identify those other victims,” Hegel said.
Hegel and co-author Aleksandar Milenkoski detailed their findings in a report they shared with The Register ahead of its publication on Monday. In that report, they describe a series of intrusions between July 2024 and March 2025 involving ShadowPad malware and post-exploitation espionage activity that SentinelOne has dubbed “PurpleHaze.” And they’re blaming China.
“We loosely associate some PurpleHaze intrusions with actors that overlap with the suspected Chinese cyberespionage groups publicly reported as APT15 and UNC5174,” they wrote in the report.
APT15, also known as rKe3Chang and Nylon Typhoon, is a suspected Chinese cyberspy crew that targets telecommunications, IT services, government and other critical sectors.
UNC5174 is a cyberspy crew or individual with ties to China’s Ministry of State Security that was spotted as recently as April infecting global organizations for espionage and access resale campaigns.
‘Pre-positioning for conflict’
SentinelLABS found more than 70 victims globally across manufacturing, government, finance, telecommunications, and research. One of these was an IT services and logistics company that manages hardware logistics for SentinelOne employees.
Additionally, the security outfit’s research uncovered a September 2024 intrusion into a “leading European media organization.”
It’s a broad range of victims, but they all share one thing in common: they represent strategic targets as China prepares for war of the cyber or kinetic variety.
“Ultimately, this ties back to pre-positioning for conflict,” Hegel said.
SentinelOne, as a security vendor for government and critical infrastructure organizations, makes an attractive starting point for a supply-chain attack along the lines of what Russian spies did to Mandiant during the SolarWinds fiasco.
“They might be going after government organizations for more direct espionage,” Hegel said. “And then major global media organizations — maybe it’s silencing certain topics or disrupting them for reporting on certain things. If they are sitting on their adversaries’ networks — media organizations, or government entities or their defense companies — they are able to flip a switch if conflict were to occur.”
Shining a light on ShadowPad
After spotting the spies poking around its own infrastructure, a South Asian government entity that provides IT services and infrastructure to customers across multiple sectors hired SentinelOne to respond to a breach of its systems.
“That was interesting, because that compromise was related to this whole thing,” Hegel said.
During that investigation, the security analysts determined the break-in occurred in June 2024, and retrieved a malware sample that turned out to be ShadowPad, a privately sold backdoor used by multiple China-aligned attackers for espionage. The ShadowPad sample was obfuscated using a variant of ScatterBrain, which Google’s Threat Intelligence Group has attributed to groups associated with a suspected Chinese group named APT41.
This ShadowPad malware sample helped SentinelLABS to identify other victims, which indicated a much larger campaign taking place between July 2024 and March 2025.
Meanwhile, in early October 2024, SentinelLABS observed a different attacker compromising the same South Asian government entity that had been breached in June.
The analysts tracked some of the infrastructure used in this attack to an operational relay box (ORB) network used by several suspected Chinese cyberspy groups, in particular one that overlaps with APT15 (aka Ke3Chang and Nylon Typhoon).
Once the intruders had broken in, they deployed publicly available backdoors that belong to the GOREVERSE family, which Mandiant has linked to UNC5174.
The intruders gained initial access by chaining two critical Ivanti bugs, CVE-2024-8963 and CVE-2024-8190, days before they were publicly disclosed.
In January, CISA and the FBI released a joint security advisory warning that unnamed miscreants had exploited the two Ivanti flaws in September 2024, explaining that the two bugs could allow an attacker to bypass admin authentication and pass commands to the OS.
Two months later, the French Cybersecurity Agency (ANSSI) released a 2024 cyber-threat overview that also detailed the September 2024 intrusions involving the same Ivanti vulnerabilities, and this report showed overlap between those breaches and tactics linked to UNC5174.
The SentinelLABS team is tracking the second intrusion into the South Asian government entity, along with the reconnaissance attempts against its own servers and the European media company break-in, as part of the PurpleHaze threat cluster.
“While we attribute PurpleHaze with high confidence to China-nexus threat actors, investigations continue to determine the specific threat groups behind the activities and their potential links to the June 2024 and later ShadowPad intrusions,” the researchers wrote.
By the way, that victim count of 75 may actually be at the “lower end of what’s truly active out there,” Hegel told us. “We know, over the last couple of weeks, there have been new organizations that have been compromised by this as well.” ®
