Headline
Chinese-Linked Hackers Targeted 70+ Global Organizations, SentinelLABS
SentinelLABS uncovers widespread China-linked cyber espionage targeting over 70 global organizations and cybersecurity firms between July 2024 and…
SentinelLABS uncovers widespread China-linked cyber espionage targeting over 70 global organizations and cybersecurity firms between July 2024 and March 2025. Learn about the “PurpleHaze (aka Vixen Panda)” and “ShadowPad” operations and the persistent threats.
A new report from cybersecurity firm SentinelLABS has exposed a wide-reaching campaign of cyberattacks, strongly believed to originate from China. These activities, which took place from July 2024 to March 2025, were aimed at numerous organizations globally, including government agencies, media companies, and, notably, SentinelOne.
While the scale of the attacks was significant, SentinelLABS has confirmed that its own infrastructure remained uncompromised. Reportedly, in October 2024, SentinelLABS detected early probing activities targeting SentinelOne’s internet-accessible systems. This was part of a larger cluster of suspicious activities they named PurpleHaze (aka Vixen Panda)“.
Later, in early 2025, SentinelLABS assisted in stopping a separate intrusion. This incident was connected to a broader operation called “ShadowPad” and impacted a company responsible for managing computer equipment for SentinelOne’s staff. In both scenarios, extensive checks by SentinelLABS confirmed that SentinelOne’s own network, software, and devices were not compromised.
The combined PurpleHaze and ShadowPad efforts did not stop there. They affected over 70 different organizations across the world, including a government entity in South Asia and a major European media organization. Beyond these, a wide array of businesses in manufacturing, finance, telecommunications, and research were also impacted.
Source: SentinelLABS
SentinelLABS has confidently linked these coordinated attacks to what they term “China-nexus threat actors.” These are groups suspected of having strong ties to the Chinese government’s spying programs. The investigation found connections between some PurpleHaze intrusions and well-known Chinese cyber espionage groups, specifically APT15 and UNC5174.
The hackers used a variety of advanced tools and techniques. A key piece of malicious software was ShadowPad, described as a “closed-source modular backdoor platform” often used by these Chinese-linked groups to spy and gain remote access. Another tool, part of the GOREshell family, which includes reverse_ssh backdoor variants were also deployed.
Infrastructure Overview (Source: SentinelLABS)
These groups frequently utilized Operational Relay Box (ORB) networks, a method that allows them to create a constantly changing network of control points, making their activities harder to track and identify.
They also took advantage of specific software weaknesses, such as CVE-2024-8963 and CVE-2024-8190, sometimes even exploiting them before these vulnerabilities were publicly disclosed. Furthermore, some attacks involved publicly available tools from The Hacker’s Choice (THC), a community of cybersecurity researchers.
Craig Jones, Vice President of Security Operations at Ontinue, a Redwood City, Calif.-based managed detection and response (MDR) provider commented on the latest development stating, “What SentinelOne is seeing now is classic China-nexus activity, it echoes exactly what was tracked during the Pacific Rim attacks when I led the defence activity at Sophos.“
“Back then, we saw the same playbook: highly targeted operations, stealthy implants on edge devices, and a relentless focus on long-term access to high-value infrastructure. This isn’t new, it’s a continuation of a well-honed strategy,“ Craig added.
These detailed findings highlight the sophisticated and persistent nature of these state-sponsored operations and emphasize the critical need for constant monitoring across all sectors.
(Image by Monica Volpin from Pixabay)
Related news
ANSSI report details the Chinese UNC5174 linked Houken cyberattack using Ivanti zero-days (CVE-2024-8190, 8963, 9380) against the French government, defence and finance sector.
Hi there! Here’s your quick update on the latest in cybersecurity. Hackers are using new tricks to break into systems we thought were secure—like finding hidden doors in locked houses. But the good news? Security experts are fighting back with smarter tools to keep data safe. Some big companies were hit with attacks, while others fixed their vulnerabilities just in time. It's a constant battle.
Suspected nation-state actors are spotted stringing together three different zero-days in the Ivanti Cloud Services Application to gain persistent access to a targeted system.
Suspected nation-state actors are spotted stringing together three different zero-days in the Ivanti Cloud Services Application to gain persistent access to a targeted system.
A suspected nation-state adversary has been observed weaponizing three security flaws in Ivanti Cloud Service Appliance (CSA) a zero-day to perform a series of malicious actions. That's according to findings from Fortinet FortiGuard Labs, which said the vulnerabilities were abused to gain unauthenticated access to the CSA, enumerate users configured in the appliance, and attempt to access the
A suspected nation-state adversary has been observed weaponizing three security flaws in Ivanti Cloud Service Appliance (CSA) a zero-day to perform a series of malicious actions. That's according to findings from Fortinet FortiGuard Labs, which said the vulnerabilities were abused to gain unauthenticated access to the CSA, enumerate users configured in the appliance, and attempt to access the
The security bugs were found susceptible to exploitation in connection to the previously disclosed, critical CVE-2024-8963 vulnerability in the security vendor's Cloud Services Appliance (CSA).
Ivanti has warned that three new security vulnerabilities impacting its Cloud Service Appliance (CSA) have come under active exploitation in the wild. The zero-day flaws are being weaponized in conjunction with another flaw in CSA that the company patched last month, the Utah-based software services provider said. Successful exploitation of these vulnerabilities could allow an authenticated
Ivanti has warned that three new security vulnerabilities impacting its Cloud Service Appliance (CSA) have come under active exploitation in the wild. The zero-day flaws are being weaponized in conjunction with another flaw in CSA that the company patched last month, the Utah-based software services provider said. Successful exploitation of these vulnerabilities could allow an authenticated
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a security flaw impacting Endpoint Manager (EPM) that the company patched in May to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerability, tracked as CVE-2024-29824, carries a CVSS score of 9.6 out of a maximum of 10.0, indicating critical severity. "An
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a security flaw impacting Endpoint Manager (EPM) that the company patched in May to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerability, tracked as CVE-2024-29824, carries a CVSS score of 9.6 out of a maximum of 10.0, indicating critical severity. "An
Though the critical vulnerability was patched in August, Ivanti is reminding customers to update as soon as possible as attacks from unauthenticated threat actors start circulating.
Though the critical vulnerability was patched in August, Ivanti is reminding customers to update as soon as possible as attacks from unauthenticated threat actors start circulating.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a critical security flaw impacting Ivanti Virtual Traffic Manager (vTM) to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerability in question is CVE-2024-7593 (CVSS score: 9.8), which could be exploited by a remote unauthenticated attacker to bypass the
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a critical security flaw impacting Ivanti Virtual Traffic Manager (vTM) to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerability in question is CVE-2024-7593 (CVSS score: 9.8), which could be exploited by a remote unauthenticated attacker to bypass the
The critical bug, CVE-2024-8963, can be used in conjunction with the prior known flaw to achieve remote code execution (RCE).
The critical bug, CVE-2024-8963, can be used in conjunction with the prior known flaw to achieve remote code execution (RCE).
Ivanti has revealed that a critical security flaw impacting Cloud Service Appliance (CSA) has come under active exploitation in the wild. The new vulnerability, assigned the CVE identifier CVE-2024-8963, carries a CVSS score of 9.4 out of a maximum of 10.0. It was "incidentally addressed" by the company as part of CSA 4.6 Patch 519 and CSA 5.0. "Path Traversal in the Ivanti CSA before 4.6 Patch
Ivanti has revealed that a critical security flaw impacting Cloud Service Appliance (CSA) has come under active exploitation in the wild. The new vulnerability, assigned the CVE identifier CVE-2024-8963, carries a CVSS score of 9.4 out of a maximum of 10.0. It was "incidentally addressed" by the company as part of CSA 4.6 Patch 519 and CSA 5.0. "Path Traversal in the Ivanti CSA before 4.6 Patch
Three days after Ivanti published an advisory about the high-severity vulnerability CVE-2024-8190, threat actors began to abuse the flaw.
Ivanti has revealed that a newly patched security flaw in its Cloud Service Appliance (CSA) has come under active exploitation in the wild. The high-severity vulnerability in question is CVE-2024-8190 (CVSS score: 7.2), which allows remote code execution under certain circumstances. "An OS command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before allows