Chinese state-sponsored hackers launched sophisticated reconnaissance operations against cybersecurity giant SentinelOne’s infrastructure in October 2024, representing part of a broader campaign targeting over 70 organizations worldwide.
The previously undisclosed attacks, detailed in a comprehensive report released by SentinelLabs on June 9, 2025, demonstrate the persistent threat that China-nexus actors pose to the very companies tasked with defending global digital infrastructure.
The multi-faceted operation involved two distinct but related attack clusters that SentinelOne researchers have designated as PurpleHaze and ShadowPad activities.
.png
)
These campaigns spanned from June 2024 through March 2025, targeting victims across manufacturing, government, finance, telecommunications, and research sectors globally.
.webp)
Most notably, the attackers succeeded in compromising an IT services and logistics company that was managing hardware logistics for SentinelOne employees at the time, though SentinelOne’s own infrastructure remained secure.
SentinelOne analysts identified the reconnaissance activity almost immediately as threat actors began systematically probing multiple Internet-facing servers over port 443.
The company’s continuous monitoring capabilities enabled rapid detection of the suspicious connections, which originated from virtual private servers designed to masquerade as legitimate telecommunications infrastructure.
.webp)
Investigators traced the activity to domains like tatacom.duckdns.org, deliberately crafted to appear as part of a major South Asian telecommunications provider’s network.
The attackers demonstrated sophisticated operational security measures and advanced technical capabilities throughout their campaigns.
They employed previously unknown variants of the ShadowPad malware platform, a closed-source modular backdoor historically associated with Chinese cyberespionage groups.
Additionally, the threat actors utilized custom implementations of the GOREshell backdoor, which leverages reverse SSH functionalities to establish covert command and control channels.
The campaigns showed clear attribution markers linking them to suspected Chinese groups APT15 and UNC5174, with the latter assessed as a contractor for China’s Ministry of State Security.
ShadowPad Malware: Advanced Obfuscation and Evasion Techniques
The technical sophistication of the ShadowPad variant discovered in this campaign reveals the evolving capabilities of Chinese threat actors.
The malware sample, designated AppSov.exe, was obfuscated using a variant of ScatterBrain, an advanced evolution of the ScatterBee obfuscation mechanism that has been observed since 2022.
This obfuscation technique employs dispatcher routines that significantly alter control flow, making reverse engineering and detection extremely challenging.
The malware’s integrity verification system demonstrates particular technical complexity, utilizing multiple constant values including 0x89D17427, 0x254733D6, 0x6FE2CF4E, and 0x110302D6 for runtime validation.
The integrity checking routine reveals the sophisticated anti-tampering mechanisms employed:-
int64 check_integrity()
{
    [...]
    v1 = retaddr;
    do
    {
        v2 = *(_DWORD *)((char *)v1 + 5);
        v1 = (_DWORD *)((char *)v1 + 1);
    }
    while ( *v1 != (v2 ^ 0xAC9647F1) || *v1 != (v1[2] ^ 0xE633BB69)
    || *v1 != (v1[3] ^ 0x98D276F1) );
    [...]
}The ShadowPad implementation utilizes DNS over HTTPS for command and control communication, specifically targeting news.imaginerjp.com and IP address 65.38.120.110.
This technique attempts to evade detection by Base-64 encoding queried domains and obscuring DNS traffic from traditional monitoring systems.
The malware comes equipped with three distinct modules identified by IDs 0x0A and 0x20, representing different functional components for configuration data and operational capabilities such as data injection or theft.
Deployment methods varied significantly across the campaign, with some variants implemented as Windows DLLs designed for specific legitimate executables vulnerable to DLL hijacking.
These variants load external files with eight-character names and .tmp extensions, such as 1D017DF2.tmp, demonstrating the attackers’ preference for living-off-the-land techniques that blend malicious activity with legitimate system operations.
Speed up and enrich threat investigations with Threat Intelligence Lookup! -> 50 trial search requests




