PurpleHaze

PurpleHaze is a China-nexus threat cluster tracked by SentinelOne/SentinelLABS and linked with high confidence to Chinese cyber-espionage activity. SentinelOne reported PurpleHaze conducted reconnaissance against its internet-facing infrastructure and some high-value customers, and tied the cluster to broader activity affecting a South Asian government entity, a leading European media organization, an IT services and logistics provider handling hardware logistics for SentinelOne employees, and more than 70 organizations globally across manufacturing, government, finance, telecommunications, research, and media sectors between July 2024 and March 2025. SentinelOne found no evidence that its own infrastructure, software, or hardware assets were compromised. SentinelOne described PurpleHaze as overlapping with publicly reported Chinese groups APT15 and UNC5174, and some reporting also refers to the cluster as Vixen Panda. The association to APT15 and UNC5174 is described as loose/overlapping rather than a full attribution. SentinelOne assessed with high confidence that PurpleHaze is a China-nexus actor, and multiple references characterize the activity as linked to Chinese state hackers or Chinese government spying programs. Observed tradecraft includes reconnaissance of internet-facing systems; use of ORB (operational relay box) infrastructure operated from China; deployment of GoReShell/GOREshell, a Go-based reverse SSH backdoor derived from reverse_ssh and in some cases using SSH-over-WebSockets; and use of publicly available tools from The Hacker’s Choice, including dsniff and clear13, for network auditing and log removal. SentinelOne also linked PurpleHaze-related activity to exploitation of Ivanti Cloud Services Appliance vulnerabilities CVE-2024-8963 and CVE-2024-8190, in some cases a few days before public disclosure. Reporting further notes overlap between PurpleHaze and ShadowPad activity, including ShadowPad samples obfuscated with ScatterBrain/ScatterBee, though ShadowPad is also used by multiple China-nexus actors and the exact relationship between some June 2024 ShadowPad intrusions and later PurpleHaze activity remains under investigation. The cluster’s activity is described as espionage-oriented and preparatory in nature, including mapping and evaluating select internet-facing servers for potential future actions, with cybersecurity vendors highlighted as high-value targets because of their visibility into downstream customer environments.