Third-Party Risk Management,
Cyberwarfare / Nation-State Attacks,
Fraud Management & Cybercrime
Intrusion Linked to ShadowPad Malware Used by Chinese APT Groups
SentinelOne, a prominent cybersecurity firm, reported a suspected intrusion by Chinese cyber attackers targeting a logistics company that supplies hardware to its employees. Notably, there has been no indication that this breach extended to SentinelOne’s own corporate network.
In a statement, the firm indicated the targeted logistics operation was first flagged during reconnaissance activities in October, associated with a group dubbed PurpleHaze. This was followed by a significant breach earlier this year of the logistics firm’s IT systems, which are integral to delivering hardware logistics for SentinelOne’s workforce.
Following the breach, SentinelOne conducted a thorough investigation of its infrastructure and assets, confirming that “no evidence of compromise” was found. The same attackers may have employed similar methods against a South Asian government entity providing IT solutions in mid-2024 and further targeted a large European media organization in the fall of the same year. In total, over 70 organizations were affected by a series of attacks stretching from July 2024 to March.
All recorded attacks are believed to have involved ShadowPad malware, a sophisticated backdoor that is reportedly supplied exclusively to Chinese attack groups, according to various research sources. “It is unclear if the main objective was solely to intrude upon the logistics provider or to extend those efforts to other linked organizations,” SentinelOne noted, emphasizing the continuing threat posed by suspected Chinese state-backed actors.
Evidence of an uptick in ShadowPad-related assaults aligns with trends shared by other cybersecurity firms. DarkTrace observed a marked increase in such attacks between April and November 2024. The methods often included exploiting Check Point VPN credentials to access networks before deploying ShadowPad through domain controllers — sometimes leading to substantial data breaches.
Trend Micro further elaborated on two distinct cases indicating ShadowPad infections within European organizations in late 2024, linking these to a single group that has primarily targeted entities in Europe, Asia, and other regions. They identified manufacturing as a common sector among the affected organizations.
ShadowPad is characterized as a modular malware platform that can function as a remote access Trojan, granting cybercriminals sustained access to compromised networks. Its capabilities also include keylogging, screenshot capture, and file retrieval, all while employing obfuscated code to evade detection.
Collaborative investigations suggest that the malware’s development likely originated from the notorious hacking group APT41, which has provided tools not only for espionage but also for financially motivated cybercrimes. The intricacies of the hacking landscape underscore the critical need for businesses to remain vigilant against evolving threats, particularly those emanating from state-sponsored entities.
Sure! Here’s a rewritten version tailored for a US-based, tech-savvy professional audience:
—
Third-Party Risk Management,
Cyberwarfare / Nation-State Attacks,
Fraud Management & Cybercrime
ShadowPad Malware Intrusion Associated with Chinese APT Groups
Cybersecurity firm SentinelOne has revealed that suspected Chinese cybercriminals have infiltrated a logistics provider responsible for supplying hardware to its employees. Fortunately, the firm has confirmed that this incident did not compromise its own corporate network.
According to SentinelOne, the targeted firm first appeared on their radar following reconnaissance operations in October, linked to an activity group identified as PurpleHaze. This operation escalated in early 2025 when a significant breach of the logistics organization’s IT systems was reported.
SentinelOne promptly alerted the logistics firm about the breach, leading to a comprehensive investigation that revealed “no evidence of compromise” within its own infrastructure. The same group may have also targeted a South Asian government entity providing IT solutions in mid-2024, along with a large European media organization later that year. In total, more than 70 organizations were reportedly affected by attacks from July 2024 to March 2025.
Research indicates that all the attacks involved the use of ShadowPad malware—a sophisticated backdoor that is supposedly exclusive to Chinese attack groups. SentinelOne remarked on the ambiguous intent of the attackers, whether they aimed to exclusively compromise the logistics provider or extend their reach into other associated organizations, underscoring the persistent threat posed by state-sponsored actors.
Other cybersecurity companies have reported an uptick in ShadowPad-related incidents. DarkTrace, for example, noted a notable increase in attacks between April and November 2024, frequently leveraging vulnerabilities in Check Point VPN to gain access before deploying ShadowPad through compromised domain controllers, sometimes resulting in extensive data leaks.
In an analysis by Trend Micro, two separate cases documented ShadowPad infections in European firms in late 2024, linking these incidents to a single group primarily targeting entities in Europe and Asia. Half of these organizations belonged to the manufacturing sector, indicating a potential pattern in the type of entities under threat.
ShadowPad is identified as a modular malware suite that can function as a remote access Trojan (RAT), affording attackers persistent access to infiltrated networks. Its capabilities extend to keylogging, capturing screenshots, and retrieving files, all made more challenging to detect via sophisticated code obfuscation techniques.
Researchers attribute the development of this malware to the infamous hacking group APT41, known for engaging in not just cyberespionage but also financially incentivized attacks. The evolving state of these threats underscores the imperative for businesses to maintain vigilance and enhance their defenses against increasingly sophisticated cyber threats, particularly those emanating from organized state-sponsored groups.
—
This revision maintains journalistic integrity while ensuring technical accuracy and clarity for a readership concerned about cybersecurity risks.
