Cybersecurity company SentinelOne has revealed that a China-nexus threat cluster dubbed PurpleHaze conducted reconnaissance attempts against its infrastructure and some of its high-value customers.
“We first became aware of this threat cluster during a 2024 intrusion conducted against an organization previously providing hardware logistics services for SentinelOne employees,” security researchers Tom Hegel, Aleksandar Milenkoski, and Jim Walter said in an analysis published Monday.
PurpleHaze is assessed to be a hacking crew with loose ties to another state-sponsored group known as APT15, which is also tracked as Flea, Nylon Typhoon (formerly Nickel), Playful Taurus, Royal APT, and Vixen Panda.
The adversarial collective has also been observed targeting an unnamed South Asian government-supporting entity in October 2024, employing an operational relay box (ORB) network and a Windows backdoor dubbed GoReShell.
The implant, written in the Go programming language, repurposes an open-source tool called reverse_ssh to set up reverse SSH connections to endpoints under the attacker’s control.
“The use of ORB networks is a growing trend among these threat groups, since they can be rapidly expanded to create a dynamic and evolving infrastructure that makes tracking cyberespionage operations and their attribution challenging,” the researchers pointed out.
Further analysis has determined that the same South Asian government entity was also targeted previously in June 2024 with ShadowPad (aka PoisonPlug), a known backdoor widely shared among China-nexus espionage groups. ShadowPad is considered to be a successor to another backdoor referred to as PlugX.
That said, with ShadowPad also being used as a conduit to deliver ransomware in recent months, the exact motivation behind the attack remains unclear. The ShadowPad artifacts have been found to be obfuscated using a bespoke compiler called ScatterBrain.
The exact nature of the overlap between the June 2024 activity and the later PurpleHaze attacks is unknown as yet. However, it’s believed that the same threat actor could be behind them.
The ScatterBrain-obfuscated ShadowPad is estimated to have been employed in intrusions targeting over 70 organizations spanning manufacturing, government, finance, telecommunications, and research sectors after likely exploiting an N-day vulnerability in Check Point gateway devices.
One among the victims of these attacks included the organization that was then responsible for managing hardware logistics for SentinelOne employees. However, the cybersecurity firm noted that it found no evidence of a secondary compromise.
It’s not just China, for SentinelOne said it also observed attempts made by North Korea-aligned IT workers to secure jobs at the company, including its SentinelLabs intelligence engineering team, via approximately 360 fake personas and over 1,000 job applications.
Last but not least, ransomware operators have targeted SentinelOne and other enterprise-focused security platforms, attempting to gain access to their tools in order to evaluate the ability of their software to evade detection.
This is fuelled by an active underground economy that revolves around buying, selling, and renting access to such enterprise security offerings on messaging apps as well as forums like XSS[.]is, Exploit[.]in, and RAMP.
“Entire service offerings have emerged around this ecosystem, including ‘EDR Testing-as-a-Service,’ where actors can discreetly evaluate malware against various endpoint protection platforms,” the researchers explained.
“While these testing services may not grant direct access to full-featured EDR consoles or agents, they do provide attackers with semi-private environments to fine-tune malicious payloads without the threat of exposure – dramatically improving the odds of success in real-world attacks.”
One ransomware group that takes this threat to a whole new level is Nitrogen, which is believed to be run by a Russian national. Unlike typical approaches that involve approaching insiders or using legitimate credentials harvested from infostealer logs, Nitrogen adopts a different strategy by impersonating real companies.
This is achieved by setting up lookalike domains, spoofed email addresses, and cloned infrastructure that mimic legitimate companies, allowing the threat actor to purchase official licenses for EDR and other security products.
“This kind of social engineering is executed with precision,” the researchers said. “Nitrogen typically targets small, lightly vetted resellers – keeping interactions minimal and relying on resellers’ inconsistent KYC (Know Your Customer) practices to slip through the cracks.”
