From Recon to Supply Chain: Targeted Operations Against SentinelOne Infrastructure

Published Date: June 10, 2025
Category: ShadowOpsIntel
Share:

Between July 2024 and March 2025, SentinelLABS, observed and investigated a series of targeted intrusions and reconnaissance activities attributed to China-nexus cyberespionage groups. These campaigns, tracked under the ShadowPad and PurpleHaze clusters, represent persistent and strategic efforts to compromise high-value targets, including cybersecurity vendors like SentinelOne.

Severity Level: Critical

Incident Details

Reconnaissance Against SentinelOne

  • Timeframe: October 2024
  • Type: Remote reconnaissance (Activity E)
  • Target: SentinelOne’s Internet-facing infrastructure
  • Outcome: No breach occurred; attackers were detected early
  • Goal: To evaluate accessible systems and identify weak points for potential future exploitation

Supply Chain Compromise Attempt

  • Timeframe: Early 2025
  • Entity Affected: An organization managing hardware logistics for SentinelOne employees
  • Method: Intrusion using ShadowPad malware
  • Outcome: Attack was identified and mitigated; SentinelOne was not breached

These activities were part of a broader operational campaign that involved:

  • An initial compromise of a South Asian government entity (June & October 2024)
  • Intrusion into a European media organization (September 2024)
  • Over 70 organizations impacted globally across sectors

Threat Group Attribution

ShadowPad Cluster

  • Malware Used: ShadowPad (modular backdoor), obfuscated with ScatterBrain and ScatterBee variants
  • Attribution: Strong links to APT41 and other China-nexus groups
  • Campaign Traits:
    • Used for espionage, credential harvesting, and backdoor persistence
    • Previously sold privately to Chinese actors
    • Infrastructure overlaps with publicly reported campaigns

PurpleHaze Cluster

  • Tools Used: GOREshell (reverse SSH backdoor), THC community tools, GOREVERSE malware
  • Attribution:
    • Infrastructure overlaps with APT15 (Ke3Chang / Nylon Typhoon)
    • Links to UNC5174, a suspected MSS contractor
  • Target Sectors: Government, media, logistics, cybersecurity
  • Notable Tactics: ORB (Operational Relay Box) network usage, DLL hijacking, SSH tunneling, Linux and Windows cross-platform implants

Attack Flow

ShadowPad Chain (Activity A, B, C)

  • Initial Access and Execution:
    • PowerShell scripts download and execute AppSov.exe
    • Nimbo-C2 agent and PowerShell exfiltration scripts used
    • Sensitive files exfiltrated to: https[://]45.13.199[.]209/rss/rss.php
  • Persistence & C2:
    • ShadowPad configured to communicate over DNS-over-HTTPS to evade detection
    • C2 domains: news.imaginerjp[.]com, dscriy.chtq[.]net

PurpleHaze Chain (Activity D, E, F)

  • Vulnerabilities exploited: CVE-2024-8963, CVE-2024-8190 (Ivanti), CVE-2023-46747, CVE-2024-1709
  • Deployment of webshells and THC tooling
  • Deployed GOREshell backdoors (on both Windows and Linux)
  • Used glib-2.0.dll via DLL hijacking in VMWare software
  • SSH over WebSocket to: downloads.trendav[.]vip, 107.173.111[.]26
  • Recon activities to map SentinelOne’s internet-exposed infrastructure
  • DNS record mimicry using sentinelxdr[.]us and secmailbox[.]us

Recommendations

  1. Ensure Ivanti, F5, Check Point, Fortinet, SonicWall, and CrushFTP appliances are updated with the latest security patches.
  2. Implement detection rules to identify PowerShell invoking curl.exe to download executables (e.g., AppSov.exe) to directories like C:\ProgramData. Flag such behavior for immediate investigation as it often indicates malware staging via remote access tools.
  3. Monitor Windows services such as VGAuthService.exe for DLL loading from directories containing unsigned files (e.g., glib-2.0.dll).
  4. Continuously monitor /usr/lib/systemd/system/ for newly created or modified .service files that reference executables like snapd or update-notifier. Alert on any unauthorized or anomalous .service creation by non-root users or from unverified sources.
  5. Alert on outbound curl usage where:
    – POST requests are made
    – Destination domains contain .php endpoints (e.g., /rss/rss.php)
    – Known C2 IPs like 45.13.199[.]209 are used
  6. Scan for new .php files in webroot directories containing system-level commands (e.g., system(‘/bin/sudo’)).
  7. Watch for execution of tools associated with The Hacker’s Choice (THC), such as: dsniff, mcl, or clear13. Leverage known hashes and behavioral signatures to flag these tools even if renamed.
  8. Enable detection of WebSocket traffic (wss://) over port 443 to known malicious C2 IPs/domains such as downloads.trendav[.]vip or 107.173.111[.]26.
  9. Block the IOCs at their respective controls
    https://www.virustotal.com/gui/collection/c61d33dab838b4a63a6b71edd2f40bed614aa9ae9e5b8ced340e00c829d4ceff/iocs

Source:

  • https://www.sentinelone.com/labs/follow-the-smoke-china-nexus-threat-actors-hammer-at-the-doors-of-top-tier-targets/
  • https://www.sentinelone.com/labs/top-tier-target-what-it-takes-to-defend-a-cybersecurity-company-from-todays-adversaries/
  • https://gbhackers.com/new-report-reveals-chinese-hackers-attempted-to-breach/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

 Talk to an expert