The reconnaissance activities targeting the American cybersecurity firm SentinelOne were part of a broader series of related intrusions that occurred between July 2024 and March 2025. According to researchers Aleksandar Milenkoski and Tom Hegel from SentinelOne, the intrusions affected over 70 organizations across various sectors, including a South Asian government entity and a European media organization.

The impacted sectors comprised manufacturing, government, finance, telecommunications, and research. Notably, an IT services and logistics company, which was managing hardware logistics for SentinelOne’s personnel at the time of the breach, was also targeted.

SentinelOne has attributed this malicious activity to threat actors linked to China, particularly a group referred to as PurpleHaze, which overlaps with groups identified as APT15 and UNC5174. The first reconnaissance identifying PurpleHaze attempts was disclosed by SentinelOne in April 2024, highlighting the targeting of some servers that were intentionally accessible via the internet.

The attackers were primarily observed mapping and assessing the availability of these servers, likely as a precursor to possible future attacks. It remains uncertain whether their intent was solely to compromise the IT logistics organization or to extend their focus to other downstream organizations as well. Investigations into the attacks have revealed six distinct activity clusters, ranging from June 2024 to the initial breaches in early 2025.

These clusters include:

• Activity A: An intrusion into a South Asian government entity in June 2024.
• Activity B: A series of global organizational intrusions from July 2024 to March 2025.
• Activity C: An early 2025 intrusion into an IT services and logistics firm.
• Activity D: A repeated intrusion into the aforementioned South Asian entity in October 2024.
• Activity E: Reconnaissance targeting SentinelOne servers in October 2024.
• Activity F: An intrusion into a prominent European media organization in late September 2024.

The June 2024 attack on the government entity reportedly involved the deployment of ShadowPad, a remote access tool, using techniques such as ScatterBrain obfuscation. This infrastructure has been associated with recent campaigns delivering a ransomware variant known as NailaoLocker.

Subsequently, in October 2024, the government entity was targeted again to install a Go-based reverse shell named GoReShell. This backdoor had also been linked to attacks against the European media organization.

Notably, both these activity clusters exploited tools developed by a group known as The Hacker’s Choice (THC), marking a significant occurrence of state-sponsored actors utilizing such tools.

SentinelOne also tied Activity F to a China-aligned actor with connections to an “initial access broker” known as UNC5174. This group was previously linked to the exploitation of vulnerabilities in SAP NetWeaver. The collective activities, numbered D, E, and F, are classified under PurpleHaze.

The attackers leveraged an operational relay box infrastructure from China, exploiting specific vulnerabilities to establish an entry point before these were publicly disclosed. Following these compromises, it is suspected that UNC5174 transferred access to other threat actors, indicating a coordinated and well-planned series of cyber espionage activities.

Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.