A sophisticated state-sponsored Chinese hacking group linked to APT15 and UNC5174 conducted an extensive eight-month cyber espionage campaign targeting more than 70 high-value organizations worldwide, including multiple unsuccessful attempts to breach cybersecurity firm SentinelOne between July 2024 and March 2025.
The threat actors, identified as part of larger China-nexus operations tracked as PurpleHaze and ShadowPad, demonstrated sophisticated operational security during employing novel malware loaders to minimize detection throughout their campaign. Organizations facing such threats typically experience data breach costs exceeding $4.35 million when compromised.
The government-backed hackers operated at a deliberately slow cadence to avoid triggering security alerts, focusing on achieving persistent access through tradecraft consistent with long-term espionage operations. Their methodology included using the ShadowPad backdoor malware in various intrusions while minimizing operational noise during infiltration attempts.
These state-sponsored attackers deliberately maintained slow, methodical operations to evade detection while establishing persistent network access for long-term espionage activities.
The attackers demonstrated particular interest in sectors aligned with Chinese strategic interests, particularly targeting defense, logistics, media organizations, and cybersecurity companies across multiple countries. Intelligence gathering on European media organizations may represent efforts to monitor or potentially disrupt critical reporting capabilities.
SentinelOne faced a dual-pronged attack strategy, experiencing direct intrusion attempts alongside a separate supply chain compromise. The hackers successfully breached the company’s hardware supplier and logistics firm, attempting to exploit this vendor access to gain entry into SentinelOne’s networks.
This supply chain vector represents an increasingly common exploitation method that highlights growing risks in vendor relationships and third-party dependencies.
In spite of the persistent efforts and sophisticated approach, SentinelOne’s internal visibility systems detected the reconnaissance activities before any successful compromise occurred. The company prevented lateral movement from the compromised vendor and successfully thwarted all direct breach attempts.
SentinelLABS, SentinelOne’s research division, reported the incidents on June 9-10, 2025, providing detailed analysis of the attack patterns and methodologies employed. Previous security reports have linked ShadowPad to NailoaLocker ransomware attacks, demonstrating the malware’s versatility across different attack scenarios.
The campaign represents a continuing trend of bold state-sponsored cyber espionage operations, with threat actors increasingly willing to target cybersecurity vendors directly in spite of heightened security measures.
The incidents underscore the sophisticated threat environment facing security companies and highlight the critical importance of implementing thorough supply chain security measures. The broader implications extend beyond individual targets, demonstrating ongoing global cyber campaigns affecting businesses worldwide and highlighting the persistent nature of nation-state threats in the current cybersecurity environment.
