This report uncovers a set of related threat clusters linked to PurpleHaze and ShadowPad operators targeting organizations, including cybersecurity vendors.

• In October 2024, SentinelLABS observed and countered a reconnaissance operation targeting SentinelOne, which we track as part of a broader activity cluster named PurpleHaze.
• At the beginning of 2025, we also identified and helped disrupt an intrusion linked to a wider ShadowPad operation. The affected organization was responsible for managing hardware logistics for SentinelOne employees at the time.
• A thorough investigation of SentinelOne’s infrastructure, software, and hardware assets confirmed that the attackers were unsuccessful and SentinelOne was not compromised by any of these activities.
• The PurpleHaze and ShadowPad activity clusters span multiple partially related intrusions into different targets occurring between July 2024 and March 2025. The victimology includes a South Asian government entity, a European media organization, and more than 70 organizations across a wide range of sectors.
• We attribute the PurpleHaze and ShadowPad activity clusters with high confidence to China-nexus threat actors. We loosely associate some PurpleHaze intrusions with actors that overlap with the suspected Chinese cyberespionage groups publicly reported as APT15 and UNC5174.
• This research underscores the persistent threat Chinese cyberespionage actors pose to global industries and public sector organizations, while also highlighting a rarely discussed target they pursue: cybersecurity vendors.

• An unknown threat cluster has been targeting at least between June and October 2024 European organizations, notably in the healthcare sector.
• Tracked as Green Nailao by Orange Cyberdefense CERT, the campaign relied on DLL search-order hijacking to deploy ShadowPad and PlugX – two implants often associated with China-nexus targeted intrusions.
• The ShadowPad variant our reverse-engineering team analyzed is highly obfuscated and uses Windows services and registry keys to persist on the system in the event of a reboot.
• In several Incident Response engagements, we observed the consecutive deployment of a previously undocumented ransomware payload.
• The campaign was enabled by the exploitation of CVE-2024-24919 (link for our World Watch and Vulnerability Intelligence customers) on vulnerable Check Point Security Gateways.
  IoCs and Yara rules can be found on our dedicated GitHub page here.

This post explores some of the TTPs employed by a threat actor who was observed deploying ShadowPad during an incident response engagement.

Governments and state-owned organizations are the latest targets of a well-established threat actor.
A distinct group of espionage attackers who were formerly associated with the ShadowPad remote access Trojan (RAT) has adopted a new, diverse toolset to mount an ongoing campaign against a range of government and state-owned organizations in a number of Asian countries. The attacks, which have been underway since at least early 2021, appear to have intelligence gathering as their main goal.