Follow the Smoke | China-nexus Threat Actors Hammer At the Doors of Top Tier Targets
Essential information
- Published
- 10/06/2025 08:22
- Modified
- 10/06/2025 09:16
- Tags
- 2025-06-10 CVE-2023-46747 CVE-2024-1709 CVE-2024-8190 CVE-2024-8963 apt15 backdoors cyberespionage goreshell infrastructure nailaolocker nimbo-c2 obfuscation reconnaissance shadowpad unc5174 vulnerabilities
- Related entities
- 4 vulnerabilities (cve), 24 observables, 1 intrusion sets (apt), 17 techniques (mitre), 5 malware, 6 others
Description
The research outlines China-nexus threat actors targeting SentinelOne and other organizations between 2024 and 2025. It details intrusions into an IT services company managing SentinelOne's hardware logistics and reconnaissance of SentinelOne's servers. The attacks involved ShadowPad malware and a cluster of activities dubbed PurpleHaze, which included the use of GOREshell backdoors and exploitation of vulnerabilities. Over 70 organizations worldwide were compromised in a broad ShadowPad operation. The threat actors employed sophisticated techniques like operational relay box networks and custom obfuscation methods. The research emphasizes the persistent threat posed by Chinese cyberespionage to various sectors, including cybersecurity vendors.