- I replaced my iPad with a de-Googled Android tablet for a week - here's my buying advice
- iOS 26 beta is available on your iPhone right now. Here's how to download it
- Half of Mobile Users Now Face Daily Scams
- MacOS 26 envy? 4 best features that Windows PC users can already use
- This video doorbell camera successfully replaced my Ring - with no subscription fees required
SentinelOne Warns Cybersecurity Vendors of Chinese Attacks
SentinelOne has urged greater industry transparency and collaboration after warning that cybersecurity vendors represent a growing target for threat actors.
The cybersecurity vendor made the plea after revealing more information about two related operations it said were carried out by China-nexus actors.
The first, dubbed “PurpleHaze,” was linked to APT15 and UNC5174 and occurred in October 2024. APT15 (aka Ke3Chang and Nylon Typhoon) is a suspected Chinese cyber-espionage actor known for targeting critical infrastructure, while UNC5174 is described as an initial access broker and contractor for the Chinese government.
The attack took the form of “remote connections to internet-facing SentinelOne servers for reconnaissance,” the firm said.
Read more on Chinese threats: Chinese State Hackers Exploiting Newly Disclosed Ivanti Flaw
SentinelOne added that other victims of the same campaign, including a South Asian government entity, were hit with the GOREshell backdoor and publicly available tools developed by security research community The Hacker’s Choice (THC). The actors also exploited chained Ivanti zero days CVE-2024-8963 and CVE-2024-8190 for initial access.
“We track some of the infrastructure used in this intrusion as part of an operational relay box (ORB) network used by several suspected Chinese cyber-espionage actors, particularly a threat group that overlaps with public reporting on APT15,” the report continued.
“The use of ORB networks is a growing trend among Chinese threat groups, since they can be rapidly expanded to create a dynamic and evolving infrastructure that makes tracking cyber-espionage operations and their attribution challenging.”
The second intrusion attempt at SentinelOne was part of broader activity that took place between July 2024 and March 2025, impacting as many as 70 organizations worldwide.
Attributed to APT41, it deployed the ShadowPad backdoor platform, obfuscated by ScatterBrain, to target a SentinelOne supplier – an IT services and logistics company – in an attempted supply chain attack.
“We suspect that the most common initial access vector involved the exploitation of Check Point gateway devices, consistent with previous research on this topic,” SentinelOne said.
“We also observed communication to ShadowPad C2 servers originating from Fortinet Fortigate, Microsoft IIS, SonicWall, and CrushFTP servers, suggesting potential exploitation of these systems as well.”
A Warning for the Security Industry
The security vendor urged its peers to be alert to similar attacks.
“The activities detailed in this research reflect the strong interest these actors have in the very organizations tasked with defending digital infrastructure,” it concluded.
“Our findings underscore the critical need for constant vigilance, robust monitoring, and rapid response capabilities.”
Craig Jones, VP of security operations at Ontinue, said the report presented as classic China-nexus activity.
“It echoes exactly what was tracked during the Pacific Rim attacks when I led the defense activity at Sophos,” he added.
“Back then, we saw the same playbook: highly targeted operations, stealthy implants on edge devices, and a relentless focus on long-term access to high-value infrastructure. This isn’t new – it’s a continuation of a well-honed strategy.”
