Chinese spy crew appears to be preparing for conflict by backdooring 75+ critical orgs
(2025/06/09)
- Reference: 1749463271
- News link: https://www.theregister.co.uk/2025/06/09/china_malware_flip_switch_sentinelone/
- Source link:
An IT services company, a European media group, and a South Asian government entity are among the more than 75 companies where China-linked groups have planted malware to access strategic networks should a conflict break out.
SentinelLABS, the threat intel and research arm of security shop SentinelOne, uncovered these new clusters of malicious activity when the suspected Chinese spies tried to break into SentinelOne's own servers in October.
"We tend to prioritize China, and seeing them start to poke at our own products, our own infrastructure, that immediately raises the red flag for us," SentinelOne threat researcher Tom Hegel told The Register in a phone interview. While the attempted SentinelOne intrusion was unsuccessful, being the target of a Chinese reconnaissance campaign led the threat hunters into a deeper analysis of the broader campaign and malware used.
[1]
"We started to hunt for it globally, look at their infrastructure and identify those other victims," Hegel said.
[2]
[3]
Hegel and co-author Aleksandar Milenkoski detailed their findings in a report they shared with The Register ahead of its publication on Monday. In that report, they describe a series of intrusions between July 2024 and March 2025 involving ShadowPad malware and post-exploitation espionage activity that SentinelOne has dubbed "PurpleHaze." And they're blaming China.
"We loosely associate some PurpleHaze intrusions with actors that overlap with the suspected Chinese cyberespionage groups publicly reported as APT15 and UNC5174," they wrote in the report.
[4]
[5]APT15 , also known as rKe3Chang and Nylon Typhoon, is a suspected Chinese cyberspy crew that targets telecommunications, IT services, government and other critical sectors.
UNC5174 is a cyberspy crew or individual with ties to China's Ministry of State Security that was [6]spotted as recently as April infecting global organizations for espionage and access resale campaigns.
'Pre-positioning for conflict'
SentinelLABS found more than 70 victims globally across manufacturing, government, finance, telecommunications, and research. One of these was an IT services and logistics company that manages hardware logistics for SentinelOne employees.
Additionally, the security outfit's research uncovered a September 2024 intrusion into a "leading European media organization."
It's a broad range of victims, but they all share one thing in common: they represent strategic targets as China prepares for war of the cyber or kinetic variety.
[7]
"Ultimately, this ties back to pre-positioning for conflict," Hegel said.
SentinelOne, as a security vendor for government and critical infrastructure organizations, makes an attractive starting point for a supply-chain attack along the lines of what [8]Russian spies did to Mandiant during the [9]SolarWinds fiasco .
"They might be going after government organizations for more direct espionage," Hegel said. "And then major global media organizations — maybe it's silencing certain topics or disrupting them for reporting on certain things. If they are sitting on their adversaries' networks — media organizations, or government entities or their defense companies — they are able to flip a switch if conflict were to occur."
Shining a light on ShadowPad
After spotting the spies poking around its own infrastructure, a South Asian government entity that provides IT services and infrastructure to customers across multiple sectors hired SentinelOne to respond to a breach of its systems.
"That was interesting, because that compromise was related to this whole thing," Hegel said.
During that investigation, the security analysts determined the break-in occurred in June 2024, and retrieved a malware sample that turned out to be ShadowPad, a [10]privately sold backdoor used by multiple China-aligned attackers for espionage. The ShadowPad sample was obfuscated using a variant of ScatterBrain, which Google's Threat Intelligence Group has [11]attributed to groups associated with a suspected Chinese group named APT41.
This ShadowPad malware sample helped SentinelLABS to identify other victims, which indicated a much larger campaign taking place between July 2024 and March 2025.
Meanwhile, in early October 2024, SentinelLABS observed a different attacker compromising the same South Asian government entity that had been breached in June.
The analysts tracked some of the infrastructure used in this attack to an [12]operational relay box (ORB) network used by several suspected Chinese cyberspy groups, in particular one that overlaps with APT15 (aka Ke3Chang and Nylon Typhoon).
Once the intruders had broken in, they deployed publicly available backdoors that belong to the GOREVERSE family, which [13]Mandiant has linked to UNC5174 .
The intruders gained initial access by chaining two [14]critical Ivanti bugs , CVE-2024-8963 and CVE-2024-8190, days before they were publicly disclosed.
[15]Why is China deep in US networks? 'They're preparing for war,' HR McMaster tells lawmakers
[16]Chinese snoops use stealth RAT to backdoor US orgs – still active last week
[17]Chinese snoops use F5, ConnectWise bugs to sell access into top US, UK networks
[18]Chinese snoops tried to break into US city utilities, says Talos
In January, CISA and the FBI released a [19]joint security advisory warning that unnamed miscreants had exploited the two Ivanti flaws in September 2024, explaining that the two bugs could allow an attacker to bypass admin authentication and pass commands to the OS.
Two months later, the French Cybersecurity Agency (ANSSI) [20]released a 2024 cyber-threat overview that also detailed the September 2024 intrusions involving the same Ivanti vulnerabilities, and this report showed overlap between those breaches and tactics linked to UNC5174.
The SentinelLABS team is tracking the second intrusion into the South Asian government entity, along with the reconnaissance attempts against its own servers and the European media company break-in, as part of the PurpleHaze threat cluster.
"While we attribute PurpleHaze with high confidence to China-nexus threat actors, investigations continue to determine the specific threat groups behind the activities and their potential links to the June 2024 and later ShadowPad intrusions," the researchers wrote.
By the way, that victim count of 75 may actually be at the "lower end of what's truly active out there," Hegel told us. "We know, over the last couple of weeks, there have been new organizations that have been compromised by this as well." ®
Get our [21]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aEcFFV6-MsYpXT5Ifr2PWwAAAYo&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aEcFFV6-MsYpXT5Ifr2PWwAAAYo&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aEcFFV6-MsYpXT5Ifr2PWwAAAYo&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aEcFFV6-MsYpXT5Ifr2PWwAAAYo&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://www.theregister.com/2025/06/06/chatgpt_for_evil/
[6] https://www.theregister.com/2025/04/15/chinese_spies_backdoored_us_orgs/
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aEcFFV6-MsYpXT5Ifr2PWwAAAYo&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2023/03/03/solarwinds_supplychain_security/
[9] https://www.theregister.com/2020/12/14/solarwinds_fireeye_cozybear_us_government/
[10] https://www.sentinelone.com/labs/shadowpad-a-masterpiece-of-privately-sold-malware-in-chinese-espionage
[11] https://cloud.google.com/blog/topics/threat-intelligence/scatterbrain-unmasking-poisonplug-obfuscator
[12] https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-orb-networks/
[13] https://www.theregister.com/2024/03/22/china_f5_connectwise_unc5174/
[14] https://www.theregister.com/2024/09/20/patch_up_ivanti_fixes_exploited/
[15] https://www.theregister.com/2025/05/29/china_preparing_war_mcmaster/
[16] https://www.theregister.com/2025/04/15/chinese_spies_backdoored_us_orgs/
[17] https://www.theregister.com/2024/03/22/china_f5_connectwise_unc5174/
[18] https://www.theregister.com/2025/05/22/chinese_crew_us_city_utilities/
[19] https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-022a
[20] https://cyber.gouv.fr/en/publications/cyber-threat-overview-2024
[21] https://whitepapers.theregister.com/
SentinelLABS, the threat intel and research arm of security shop SentinelOne, uncovered these new clusters of malicious activity when the suspected Chinese spies tried to break into SentinelOne's own servers in October.
"We tend to prioritize China, and seeing them start to poke at our own products, our own infrastructure, that immediately raises the red flag for us," SentinelOne threat researcher Tom Hegel told The Register in a phone interview. While the attempted SentinelOne intrusion was unsuccessful, being the target of a Chinese reconnaissance campaign led the threat hunters into a deeper analysis of the broader campaign and malware used.
[1]
"We started to hunt for it globally, look at their infrastructure and identify those other victims," Hegel said.
[2]
[3]
Hegel and co-author Aleksandar Milenkoski detailed their findings in a report they shared with The Register ahead of its publication on Monday. In that report, they describe a series of intrusions between July 2024 and March 2025 involving ShadowPad malware and post-exploitation espionage activity that SentinelOne has dubbed "PurpleHaze." And they're blaming China.
"We loosely associate some PurpleHaze intrusions with actors that overlap with the suspected Chinese cyberespionage groups publicly reported as APT15 and UNC5174," they wrote in the report.
[4]
[5]APT15 , also known as rKe3Chang and Nylon Typhoon, is a suspected Chinese cyberspy crew that targets telecommunications, IT services, government and other critical sectors.
UNC5174 is a cyberspy crew or individual with ties to China's Ministry of State Security that was [6]spotted as recently as April infecting global organizations for espionage and access resale campaigns.
'Pre-positioning for conflict'
SentinelLABS found more than 70 victims globally across manufacturing, government, finance, telecommunications, and research. One of these was an IT services and logistics company that manages hardware logistics for SentinelOne employees.
Additionally, the security outfit's research uncovered a September 2024 intrusion into a "leading European media organization."
It's a broad range of victims, but they all share one thing in common: they represent strategic targets as China prepares for war of the cyber or kinetic variety.
[7]
"Ultimately, this ties back to pre-positioning for conflict," Hegel said.
SentinelOne, as a security vendor for government and critical infrastructure organizations, makes an attractive starting point for a supply-chain attack along the lines of what [8]Russian spies did to Mandiant during the [9]SolarWinds fiasco .
"They might be going after government organizations for more direct espionage," Hegel said. "And then major global media organizations — maybe it's silencing certain topics or disrupting them for reporting on certain things. If they are sitting on their adversaries' networks — media organizations, or government entities or their defense companies — they are able to flip a switch if conflict were to occur."
Shining a light on ShadowPad
After spotting the spies poking around its own infrastructure, a South Asian government entity that provides IT services and infrastructure to customers across multiple sectors hired SentinelOne to respond to a breach of its systems.
"That was interesting, because that compromise was related to this whole thing," Hegel said.
During that investigation, the security analysts determined the break-in occurred in June 2024, and retrieved a malware sample that turned out to be ShadowPad, a [10]privately sold backdoor used by multiple China-aligned attackers for espionage. The ShadowPad sample was obfuscated using a variant of ScatterBrain, which Google's Threat Intelligence Group has [11]attributed to groups associated with a suspected Chinese group named APT41.
This ShadowPad malware sample helped SentinelLABS to identify other victims, which indicated a much larger campaign taking place between July 2024 and March 2025.
Meanwhile, in early October 2024, SentinelLABS observed a different attacker compromising the same South Asian government entity that had been breached in June.
The analysts tracked some of the infrastructure used in this attack to an [12]operational relay box (ORB) network used by several suspected Chinese cyberspy groups, in particular one that overlaps with APT15 (aka Ke3Chang and Nylon Typhoon).
Once the intruders had broken in, they deployed publicly available backdoors that belong to the GOREVERSE family, which [13]Mandiant has linked to UNC5174 .
The intruders gained initial access by chaining two [14]critical Ivanti bugs , CVE-2024-8963 and CVE-2024-8190, days before they were publicly disclosed.
[15]Why is China deep in US networks? 'They're preparing for war,' HR McMaster tells lawmakers
[16]Chinese snoops use stealth RAT to backdoor US orgs – still active last week
[17]Chinese snoops use F5, ConnectWise bugs to sell access into top US, UK networks
[18]Chinese snoops tried to break into US city utilities, says Talos
In January, CISA and the FBI released a [19]joint security advisory warning that unnamed miscreants had exploited the two Ivanti flaws in September 2024, explaining that the two bugs could allow an attacker to bypass admin authentication and pass commands to the OS.
Two months later, the French Cybersecurity Agency (ANSSI) [20]released a 2024 cyber-threat overview that also detailed the September 2024 intrusions involving the same Ivanti vulnerabilities, and this report showed overlap between those breaches and tactics linked to UNC5174.
The SentinelLABS team is tracking the second intrusion into the South Asian government entity, along with the reconnaissance attempts against its own servers and the European media company break-in, as part of the PurpleHaze threat cluster.
"While we attribute PurpleHaze with high confidence to China-nexus threat actors, investigations continue to determine the specific threat groups behind the activities and their potential links to the June 2024 and later ShadowPad intrusions," the researchers wrote.
By the way, that victim count of 75 may actually be at the "lower end of what's truly active out there," Hegel told us. "We know, over the last couple of weeks, there have been new organizations that have been compromised by this as well." ®
Get our [21]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aEcFFV6-MsYpXT5Ifr2PWwAAAYo&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aEcFFV6-MsYpXT5Ifr2PWwAAAYo&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aEcFFV6-MsYpXT5Ifr2PWwAAAYo&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aEcFFV6-MsYpXT5Ifr2PWwAAAYo&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://www.theregister.com/2025/06/06/chatgpt_for_evil/
[6] https://www.theregister.com/2025/04/15/chinese_spies_backdoored_us_orgs/
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aEcFFV6-MsYpXT5Ifr2PWwAAAYo&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2023/03/03/solarwinds_supplychain_security/
[9] https://www.theregister.com/2020/12/14/solarwinds_fireeye_cozybear_us_government/
[10] https://www.sentinelone.com/labs/shadowpad-a-masterpiece-of-privately-sold-malware-in-chinese-espionage
[11] https://cloud.google.com/blog/topics/threat-intelligence/scatterbrain-unmasking-poisonplug-obfuscator
[12] https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-orb-networks/
[13] https://www.theregister.com/2024/03/22/china_f5_connectwise_unc5174/
[14] https://www.theregister.com/2024/09/20/patch_up_ivanti_fixes_exploited/
[15] https://www.theregister.com/2025/05/29/china_preparing_war_mcmaster/
[16] https://www.theregister.com/2025/04/15/chinese_spies_backdoored_us_orgs/
[17] https://www.theregister.com/2024/03/22/china_f5_connectwise_unc5174/
[18] https://www.theregister.com/2025/05/22/chinese_crew_us_city_utilities/
[19] https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-022a
[20] https://cyber.gouv.fr/en/publications/cyber-threat-overview-2024
[21] https://whitepapers.theregister.com/
Re: Well done
munnoch
Thats the great thing about territorial disputes. Both sides can pick an arbitrary time in history that is advantageous to them and then proceed on the basis that it is the one true interpretation regardless of the situation on the ground in the present day.
Re: Well done
NoneSuch
China is the block bully pushing into sovereign waters of Vietnam, the Philippines and Malaysia (among others).
They need to be made pariahs until they stop imprisoning people for religion or democratic demonstrations, spying on other nations and acting like an adult instead of a spoiled toddler who wants thirds for ice cream.
Remember Tiananmen Square.
No more despots.
tiggity
""And then major global media organizations — maybe it's silencing certain topics or disrupting them for reporting on certain things."
I think most Western media does a good job of effectively silencing certain topics / dissenting viewpoints. If I were the Chinese hacking a Western media company it would probably to make visible to teh general public some of the stuff they currently brush under the carpet
The "west", China, Russia, whoever. The people who end up running a country often tend to be amoral power crazed narcissistic sociopaths & the great unwashed are at risk from all of them (though generally most "westerners" more at risk from "our side" than our "enemies"*)
* I have no beef with the average Chinese, Russian etc. those workers suffer under a corrupt evil government, just like we do (though certainly the Chinese seem to have a far more competent government than our shower).
Well done
Congrats to Sentinel for thwarting the attack and finding compromised sites / organisations.
I want to say that we do not know that China is 'preparing for war', but they do keep saying that Taiwan belongs to China. And the history is somewhat complicated:
"The island was annexed in 1683 by the Qing dynasty of China and ceded to the Empire of Japan in 1895. The Republic of China, which had overthrown the Qing in 1912 under the leadership of Sun Yat-sen, took control following the surrender of Japan in World War II. "
From: https://en.wikipedia.org/wiki/Taiwan#:~:text=The%20island%20was%20annexed%20in,Japan%20in%20World%20War%20II.