top of page
Betterworld Logo

SentinelOne Exposes Long-Running Chinese Espionage Campaign Targeting Its Infrastructure

SentinelOne, a prominent cybersecurity firm, has uncovered a sophisticated espionage campaign linked to Chinese state-sponsored actors, targeting its infrastructure and high-value clients. This revelation highlights the ongoing threat posed by advanced persistent threat (APT) groups and the need for enhanced cybersecurity measures across industries.


SentinelOne | BetterWorld Technology

Key Takeaways

  • SentinelOne identified a threat cluster named PurpleHaze, linked to APT15, targeting its infrastructure.

  • The campaign has been ongoing for over a decade, with tactics including malware deployment and supply chain exploitation.

  • No direct compromise of SentinelOne’s systems was detected, but third-party providers were targeted.

  • The findings underscore the importance of real-time supply chain monitoring and threat intelligence sharing.

Overview Of The PurpleHaze Threat Cluster

SentinelOne's research arm, SentinelLabs, first detected the PurpleHaze threat cluster during a 2024 intrusion against a logistics provider that managed hardware for SentinelOne employees. This group is believed to have connections to APT15, also known as Nylon Typhoon, which has a history of targeting critical sectors such as telecommunications, IT, and government entities.

The PurpleHaze group employs a dynamic infrastructure known as an Operational Relay Box (ORB) network, which complicates attribution and enhances their operational capabilities. They utilize various malware, including GoReShell, a backdoor that establishes reverse SSH connections for persistent access.

ShadowPad Intrusions And Supply Chain Risks

In addition to PurpleHaze, SentinelLabs discovered related activities involving ShadowPad, a modular backdoor frequently used by Chinese threat actors. Between June 2024 and March 2025, over 70 organizations across various sectors fell victim to ShadowPad variants, often exploiting vulnerabilities in Check Point gateway devices.

The targeting of a logistics provider for SentinelOne employees raises concerns about the fragility of supply chains and the potential for indirect attacks on high-value targets. While no evidence of a secondary compromise of SentinelOne’s infrastructure was found, the incident highlights how nation-state actors exploit third-party vulnerabilities to gain access to their primary targets.

Aoqin Dragon: A Long-Term Espionage Actor

Another significant finding from SentinelOne's research is the identification of a threat actor known as Aoqin Dragon, which has been active since 2013. This group primarily targets government, education, and telecommunications organizations in Southeast Asia and Australia. Their tactics include using document exploits and fake removable devices to gain initial access to systems.

Aoqin Dragon's operations have evolved over the years, employing various techniques such as DLL hijacking and DNS tunneling to evade detection. Their focus on espionage aligns with the strategic interests of the Chinese government, making them a persistent threat in the region.

The Need For Enhanced Cybersecurity Measures

The revelations from SentinelOne serve as a stark reminder of the ongoing threats posed by state-sponsored cyber actors. As these groups continue to refine their tactics and expand their operational capabilities, organizations must prioritize real-time monitoring and threat intelligence sharing to mitigate risks.

SentinelOne advocates for integrating threat-aware metadata into asset inventories and enhancing threat modeling to address upstream risks. The cybersecurity landscape is evolving, and collective defense strategies are essential to counter the sophisticated tactics employed by adversaries.

As cyber threats grow more sophisticated, staying informed is more important than ever. BetterWorld Technology delivers advanced cybersecurity solutions designed to adapt with the threat landscape—ensuring your business stays protected while continuing to innovate. Take the first step toward stronger security—contact us today for a consultation!

Sources

  • China-Linked Hackers Targeting Organizational Infrastructure and High-Value Clients, GBHackers News.

  • Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years |SentinelOne, SentinelOne.

  • SentinelOne Uncovers Chinese Espionage Campaign Targeting Its Infrastructure and Clients, The Hacker News.

Join our mailing list

bottom of page