New Report Reveals Chinese Hackers Attempted to Breach SentinelOne Servers

SentinelLABS, a sophisticated reconnaissance operation targeting SentinelOne, a leading cybersecurity vendor, has been detailed as part of a broader espionage campaign linked to China-nexus threat actors.

Tracked under the activity clusters PurpleHaze and ShadowPad, these operations spanned from July 2024 to March 2025, affecting over 70 organizations worldwide across sectors like government, media, manufacturing, finance, and telecommunications.

Persistent Threats from China-Nexus Actors Uncovered

The report sheds light on a rarely discussed aspect of cyber threats: the deliberate targeting of cybersecurity vendors, who are high-value targets due to their protective roles and deep visibility into client environments.

SentinelLABS confirmed that despite the persistent efforts, SentinelOne’s infrastructure, software, and hardware assets remained uncompromised, thanks to robust monitoring and rapid response mechanisms.

The PurpleHaze cluster, active between September and October 2024, included reconnaissance activities against SentinelOne’s Internet-facing servers, alongside intrusions into a South Asian government entity and a European media organization.

Technical analysis revealed the use of the GOREshell backdoor a variant of the open-source reverse_ssh tool deployed with sophisticated obfuscation techniques like Garble and UPX packing.

Infrastructure overlaps, such as the shared C2 domain downloads.trendav[.]vip resolving to IP 142.93.214[.]219, linked these attacks to a China-operated Operational Relay Box (ORB) network, often associated with groups like APT15 and UNC5174, a suspected initial access broker for China’s Ministry of State Security.

Cybersecurity Vendor Targeting

The exploitation of zero-day vulnerabilities, including CVE-2024-8963 and CVE-2024-8190 in Ivanti Cloud Services Appliance, underscores the advanced capabilities of these actors, who gained footholds days before public disclosure.

Additionally, the ShadowPad malware, obfuscated with ScatterBrain, was deployed in a separate wave of attacks from June 2024 to March 2025, targeting global entities and an IT logistics provider linked to SentinelOne.

A notable instance involved the AppSov.exe sample, executed via PowerShell to download malicious payloads from compromised internal systems, highlighting the layered persistence and data exfiltration tactics employed.

According to the Report, SentinelLABS also documented the use of publicly available tools like dsniff version 2.5a1 by The Hacker’s Choice community in these intrusions, marking a novel application in APT contexts.

The report emphasizes the strategic intent behind targeting cybersecurity firms, aiming to disrupt protective mechanisms and potentially access downstream entities.

By sharing detailed indicators of compromise (IOCs) and technical insights, SentinelLABS advocates for transparency and collaboration within the industry to counter such persistent threats.

The attribution to China-nexus actors with high confidence, combined with the reuse of private SSH keys across multiple campaigns, points to a coordinated and evolving threat landscape that demands constant vigilance and intelligence sharing.

Indicators of Compromise (IOCs)

Type	Value	Note
SHA-1 Hash	f52e18b7c8417c7573125c0047adb32d8d813529	ShadowPad (AppSov.exe)
Domain	downloads.trendav[.]vip	GOREshell C2 server
IP Address	142.93.214[.]219	GOREshell C2 server
URL	https[://]45.13.199[.]209/rss/rss.php	Exfiltration URL

To Upgrade Your Cybersecurity Skills, Take Diamond Membership With 150+ Practical Cybersecurity Courses Online – Enroll Here