216.73.217.22

Follow the Smoke | China-nexus Threat Actors Hammer At the Doors of Top Tier Targets

· Published 10/06/2025 08:22 · Modified 10/06/2025 09:16

Export JSON

Essential information

Published
10/06/2025 08:22
Modified
10/06/2025 09:16
Tags
2025-06-10 CVE-2023-46747 CVE-2024-1709 CVE-2024-8190 CVE-2024-8963 apt15 backdoors cyberespionage goreshell infrastructure nailaolocker nimbo-c2 obfuscation reconnaissance shadowpad unc5174 vulnerabilities
Related entities
4 vulnerabilities (cve), 24 observables, 1 intrusion sets (apt), 17 techniques (mitre), 5 malware, 6 others

Description

The research outlines China-nexus threat actors targeting SentinelOne and other organizations between 2024 and 2025. It details intrusions into an IT services company managing SentinelOne's hardware logistics and of SentinelOne's servers. The attacks involved malware and a cluster of activities dubbed PurpleHaze, which included the use of and exploitation of . Over 70 organizations worldwide were compromised in a broad operation. The threat actors employed sophisticated techniques like operational relay box networks and custom methods. The research emphasizes the persistent threat posed by Chinese to various sectors, including cybersecurity vendors.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Vulnerabilities (CVE) (4)

CVE-2024-8963 KEV
9.4 Critical

Ivanti Cloud Services Appliance (CSA) contains a path traversal vulnerability that could allow a remote, unauthenticated attacker to access restricted functionality. If …

Attack vector
Network
Published
19/09/2024
Modified
21/12/2025
Analyzed
CVE-2024-8190 KEV
7.2 High

An OS command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before allows a remote authenticated attacker to …

Attack vector
Network
Published
13/09/2024
Modified
21/12/2025
Analyzed
CVE-2024-1709 KEV
10.0 Critical

ConnectWise ScreenConnect contains an authentication bypass vulnerability that allows an attacker with network access to the management interface to create a new, …

Attack vector
Network
Published
22/02/2024
Modified
28/02/2026
CVE-2023-46747 KEV
9.8 Critical

F5 BIG-IP Configuration utility contains an authentication bypass using an alternate path or channel vulnerability due to undisclosed requests that may allow …

Attack vector
Network
Published
31/10/2023
Modified
21/12/2025

Observables (24)

  • 65.38.120.110
  • 45.13.199.209
  • http://downloads.trendav.vip:443
  • http://45.13.199.209/rss/rss.php
  • http://downloads.trendav.vip/sentinelxdr.us
  • updata.dsqurey.com
  • tatacom.duckdns.org
  • notes.oossafe.com
  • news.imaginerjp.com
  • network.oossafe.com
  • mail.secmailbox.us
  • mail.ccna.organiccrap.com
  • epp.navy.ddns.info
  • dscriy.chtq.net
  • cloud.trendav.co
  • downloads.trendav.vip
  • trendav.vip
  • sentinelxdr.us
  • secmailbox.us
  • f32d1dbbce880ce57f0635ce3acebff1e2b0005480dde98956ba9eb903d9a393
  • f0746e78e49896dfa01c674bf2a800443b1966c54663db5c679bc86533352590
  • a547833df24967195d34eca193427b9e1afa04c4300e9d20c56ceb1041b131c7
  • 7ae31f517fc172a4924f9ee0321c2b013cd3836c97166dac4bcfc5c108d30596
  • 02a89e2fc574a8f965666f16fce5a248a4a1ec07b32e23cee38f3808d7bba3a0

Intrusion sets (APT) (1)

  • China-nexus threat actors
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 14:55 · Modified 21/12/2025 14:55

Techniques (MITRE) (17)

Malware (5)

  • NailaoLocker
    Family
    Published 21/07/2025 10:27 · Modified 21/07/2025 10:27
  • GOREshell
    Family
    Published 10/06/2025 08:22 · Modified 10/06/2025 08:22
  • POISONPLUG.SHADOW
    Family
    Published 30/04/2026 19:11 · Modified 30/04/2026 19:11
  • ShadowPad - S0596
    Family
    Published 30/04/2026 19:11 · Modified 30/04/2026 19:11
  • Nimbo-C2
    Family
    Published 10/06/2025 08:22 · Modified 10/06/2025 08:22

Others (6)

  • Technology
  • Media
  • Finance
  • Telecommunications
  • Government
  • Manufacturing

External references