Security
Headlines
HeadlinesLatestCVEs

Headline

Chinese-Linked Hackers Targeted 70+ Global Organizations, SentinelLABS

SentinelLABS uncovers widespread China-linked cyber espionage targeting over 70 global organizations and cybersecurity firms between July 2024 and…

HackRead
#vulnerability#ios#backdoor#ssh

SentinelLABS uncovers widespread China-linked cyber espionage targeting over 70 global organizations and cybersecurity firms between July 2024 and March 2025. Learn about the “PurpleHaze (aka Vixen Panda)” and “ShadowPad” operations and the persistent threats.

A new report from cybersecurity firm SentinelLABS has exposed a wide-reaching campaign of cyberattacks, strongly believed to originate from China. These activities, which took place from July 2024 to March 2025, were aimed at numerous organizations globally, including government agencies, media companies, and, notably, SentinelOne.

While the scale of the attacks was significant, SentinelLABS has confirmed that its own infrastructure remained uncompromised. Reportedly, in October 2024, SentinelLABS detected early probing activities targeting SentinelOne’s internet-accessible systems. This was part of a larger cluster of suspicious activities they named PurpleHaze (aka Vixen Panda)“.

Later, in early 2025, SentinelLABS assisted in stopping a separate intrusion. This incident was connected to a broader operation called “ShadowPad” and impacted a company responsible for managing computer equipment for SentinelOne’s staff. In both scenarios, extensive checks by SentinelLABS confirmed that SentinelOne’s own network, software, and devices were not compromised.

The combined PurpleHaze and ShadowPad efforts did not stop there. They affected over 70 different organizations across the world, including a government entity in South Asia and a major European media organization. Beyond these, a wide array of businesses in manufacturing, finance, telecommunications, and research were also impacted.

Source: SentinelLABS

SentinelLABS has confidently linked these coordinated attacks to what they term “China-nexus threat actors.” These are groups suspected of having strong ties to the Chinese government’s spying programs. The investigation found connections between some PurpleHaze intrusions and well-known Chinese cyber espionage groups, specifically APT15 and UNC5174.

The hackers used a variety of advanced tools and techniques. A key piece of malicious software was ShadowPad, described as a “closed-source modular backdoor platform” often used by these Chinese-linked groups to spy and gain remote access. Another tool, part of the GOREshell family, which includes reverse_ssh backdoor variants were also deployed.

Infrastructure Overview (Source: SentinelLABS)

These groups frequently utilized Operational Relay Box (ORB) networks, a method that allows them to create a constantly changing network of control points, making their activities harder to track and identify.

They also took advantage of specific software weaknesses, such as CVE-2024-8963 and CVE-2024-8190, sometimes even exploiting them before these vulnerabilities were publicly disclosed. Furthermore, some attacks involved publicly available tools from The Hacker’s Choice (THC), a community of cybersecurity researchers.

Craig Jones, Vice President of Security Operations at Ontinue, a Redwood City, Calif.-based managed detection and response (MDR) provider commented on the latest development stating, What SentinelOne is seeing now is classic China-nexus activity, it echoes exactly what was tracked during the Pacific Rim attacks when I led the defence activity at Sophos.

“Back then, we saw the same playbook: highly targeted operations, stealthy implants on edge devices, and a relentless focus on long-term access to high-value infrastructure. This isn’t new, it’s a continuation of a well-honed strategy, Craig added.

These detailed findings highlight the sophisticated and persistent nature of these state-sponsored operations and emphasize the critical need for constant monitoring across all sectors.

(Image by Monica Volpin from Pixabay)

Related news

China Linked Houken Hackers Breach French Systems with Ivanti Zero Days

ANSSI report details the Chinese UNC5174 linked Houken cyberattack using Ivanti zero-days (CVE-2024-8190, 8963, 9380) against the French government, defence and finance sector.

THN Cybersecurity Recap: Top Threats, Tools and News (Oct 14 - Oct 20)

Hi there! Here’s your quick update on the latest in cybersecurity. Hackers are using new tricks to break into systems we thought were secure—like finding hidden doors in locked houses. But the good news? Security experts are fighting back with smarter tools to keep data safe. Some big companies were hit with attacks, while others fixed their vulnerabilities just in time. It's a constant battle.

Serious Adversaries Circle Ivanti CSA Zero-Day Flaws

Suspected nation-state actors are spotted stringing together three different zero-days in the Ivanti Cloud Services Application to gain persistent access to a targeted system.

Serious Adversaries Circle Ivanti CSA Zero-Day Flaws

Suspected nation-state actors are spotted stringing together three different zero-days in the Ivanti Cloud Services Application to gain persistent access to a targeted system.

Nation-State Attackers Exploiting Ivanti CSA Flaws for Network Infiltration

A suspected nation-state adversary has been observed weaponizing three security flaws in Ivanti Cloud Service Appliance (CSA) a zero-day to perform a series of malicious actions. That's according to findings from Fortinet FortiGuard Labs, which said the vulnerabilities were abused to gain unauthenticated access to the CSA, enumerate users configured in the appliance, and attempt to access the

Nation-State Attackers Exploiting Ivanti CSA Flaws for Network Infiltration

A suspected nation-state adversary has been observed weaponizing three security flaws in Ivanti Cloud Service Appliance (CSA) a zero-day to perform a series of malicious actions. That's according to findings from Fortinet FortiGuard Labs, which said the vulnerabilities were abused to gain unauthenticated access to the CSA, enumerate users configured in the appliance, and attempt to access the

3 More Ivanti Cloud Vulns Exploited in the Wild

The security bugs were found susceptible to exploitation in connection to the previously disclosed, critical CVE-2024-8963 vulnerability in the security vendor's Cloud Services Appliance (CSA).

Zero-Day Alert: Three Critical Ivanti CSA Vulnerabilities Actively Exploited

Ivanti has warned that three new security vulnerabilities impacting its Cloud Service Appliance (CSA) have come under active exploitation in the wild. The zero-day flaws are being weaponized in conjunction with another flaw in CSA that the company patched last month, the Utah-based software services provider said. Successful exploitation of these vulnerabilities could allow an authenticated

Zero-Day Alert: Three Critical Ivanti CSA Vulnerabilities Actively Exploited

Ivanti has warned that three new security vulnerabilities impacting its Cloud Service Appliance (CSA) have come under active exploitation in the wild. The zero-day flaws are being weaponized in conjunction with another flaw in CSA that the company patched last month, the Utah-based software services provider said. Successful exploitation of these vulnerabilities could allow an authenticated

Ivanti Endpoint Manager Flaw Actively Targeted, CISA Warns Agencies to Patch

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a security flaw impacting Endpoint Manager (EPM) that the company patched in May to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerability, tracked as CVE-2024-29824, carries a CVSS score of 9.6 out of a maximum of 10.0, indicating critical severity. "An

Ivanti Endpoint Manager Flaw Actively Targeted, CISA Warns Agencies to Patch

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a security flaw impacting Endpoint Manager (EPM) that the company patched in May to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerability, tracked as CVE-2024-29824, carries a CVSS score of 9.6 out of a maximum of 10.0, indicating critical severity. "An

Third Ivanti Bug Comes Under Active Exploit, CISA Warns

Though the critical vulnerability was patched in August, Ivanti is reminding customers to update as soon as possible as attacks from unauthenticated threat actors start circulating.

Third Ivanti Bug Comes Under Active Exploit, CISA Warns

Though the critical vulnerability was patched in August, Ivanti is reminding customers to update as soon as possible as attacks from unauthenticated threat actors start circulating.

CISA Flags Critical Ivanti vTM Vulnerability Amid Active Exploitation Concerns

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a critical security flaw impacting Ivanti Virtual Traffic Manager (vTM) to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerability in question is CVE-2024-7593 (CVSS score: 9.8), which could be exploited by a remote unauthenticated attacker to bypass the

CISA Flags Critical Ivanti vTM Vulnerability Amid Active Exploitation Concerns

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a critical security flaw impacting Ivanti Virtual Traffic Manager (vTM) to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerability in question is CVE-2024-7593 (CVSS score: 9.8), which could be exploited by a remote unauthenticated attacker to bypass the

Ivanti's Cloud Service Appliance Attacked via Second Vuln

The critical bug, CVE-2024-8963, can be used in conjunction with the prior known flaw to achieve remote code execution (RCE).

Ivanti's Cloud Service Appliance Attacked via Second Vuln

The critical bug, CVE-2024-8963, can be used in conjunction with the prior known flaw to achieve remote code execution (RCE).

Critical Ivanti Cloud Appliance Vulnerability Exploited in Active Cyberattacks

Ivanti has revealed that a critical security flaw impacting Cloud Service Appliance (CSA) has come under active exploitation in the wild. The new vulnerability, assigned the CVE identifier CVE-2024-8963, carries a CVSS score of 9.4 out of a maximum of 10.0. It was "incidentally addressed" by the company as part of CSA 4.6 Patch 519 and CSA 5.0. "Path Traversal in the Ivanti CSA before 4.6 Patch

Critical Ivanti Cloud Appliance Vulnerability Exploited in Active Cyberattacks

Ivanti has revealed that a critical security flaw impacting Cloud Service Appliance (CSA) has come under active exploitation in the wild. The new vulnerability, assigned the CVE identifier CVE-2024-8963, carries a CVSS score of 9.4 out of a maximum of 10.0. It was "incidentally addressed" by the company as part of CSA 4.6 Patch 519 and CSA 5.0. "Path Traversal in the Ivanti CSA before 4.6 Patch

Ivanti Cloud Bug Goes Under Exploit After Alarms Are Raised

Three days after Ivanti published an advisory about the high-severity vulnerability CVE-2024-8190, threat actors began to abuse the flaw.

Ivanti Warns of Active Exploitation of Newly Patched Cloud Appliance Vulnerability

Ivanti has revealed that a newly patched security flaw in its Cloud Service Appliance (CSA) has come under active exploitation in the wild. The high-severity vulnerability in question is CVE-2024-8190 (CVSS score: 7.2), which allows remote code execution under certain circumstances. "An OS command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before allows

HackRead: Latest News

Cisco Issues Emergency Fix for Critical Root Credential Flaw in Unified CM