A recent report from SentinelLABS reveals extensive cyber espionage operations linked to China, affecting more than 70 global organizations and cybersecurity firms from July 2024 to March 2025. The findings highlight the “PurpleHaze (also known as Vixen Panda)” and “ShadowPad” operations, underscoring the ongoing threat landscape.
According to the cybersecurity analysis provided by SentinelLABS, a significant wave of cyberattacks attributed to Chinese actors has targeted a diverse range of entities worldwide, including governmental bodies, media organizations, and notably, the cybersecurity firm SentinelOne. The investigation spans from July 2024 through March 2025, marking a concentrated period of these malicious activities.
Despite the scale of these assaults, SentinelLABS confirmed that its infrastructure remained secure. In October 2024, the firm identified probing attempts aimed at SentinelOne’s internet-facing systems, which were part of the larger PurpleHaze campaign. This identification illustrates the proactive measures in place to detect potential threats.
As the situation evolved into early 2025, SentinelLABS played a pivotal role in thwarting a separate intrusion connected to the ShadowPad operation. This particular incident impacted a vendor responsible for providing computer hardware for SentinelOne employees. Rigorous examinations by SentinelLABS assured that SentinelOne’s core network and associated devices were not infiltrated.
The combined operations of PurpleHaze and ShadowPad were not limited to a single sector; they encompassed over 70 organizations across various industries globally. Targets included a governmental entity in South Asia and a major European media outlet, alongside businesses spanning manufacturing, finance, telecommunications, and research sectors.
SentinelLABS has confidently characterized these coordinated attacks as actions by “China-nexus threat actors,” believed to have close associations with state-sponsored espionage initiatives. The report established links between some PurpleHaze intrusions and known Chinese cyber threat groups, specifically APT15 and UNC5174, further solidifying these allegations.
The cyber operatives deployed a range of advanced tools, prominently featuring ShadowPad, described as a “closed-source modular backdoor platform” frequently utilized by these affiliated entities for remote access and intelligence gathering. Additionally, variants from the GOREshell family, including reverse SSH backdoor tools, were also listed among the arsenal used in these attacks.
Operational Relay Box (ORB) networks were employed by the attackers to establish a dynamic and adaptive network of control points, complicating detection efforts and analysis. Moreover, the exploitation of software vulnerabilities, such as CVE-2024-8963 and CVE-2024-8190, was a notable aspect of these operations, with some vulnerabilities exploited prior to public disclosure. The attackers also utilized publicly available tools from community-driven cybersecurity resources.
Craig Jones, Vice President of Security Operations at Ontinue, commented on the ongoing activity, noting its alignment with historical China-linked tactics observed during previous incidents. He emphasized the hallmark characteristics of these campaigns: targeted operations, stealthy implants on edge devices, and a concerted focus on long-term access to critical infrastructure—indicating a sustained strategy rather than a novel approach.
The findings from SentinelLABS underscore the sophisticated nature of these state-sponsored cyber operations, highlighting the critical importance of vigilant monitoring and robust cybersecurity frameworks across diverse sectors.
(Image by Monica Volpin from Pixabay)
