SentinelLABS discovered and defended against a reconnaissance operation in October 2024, which targeted SentinelOne. At the start of 2025, researchers also observed and disrupted an intrusion against an organization that managed hardware logistics for its employees. After a comprehensive investigation of SentinelOne’s software, hardware and infrstructure, researchers confirmed the attackers were unsuccessful. 

The research attributes these attacks to PurpleHaze and ShadowPad activity clusters, which spans across intrusions into a range of targets between July 2024 and March 2025. Targets include a European media organization, a South Asian government entity, and more than 70 organizations in a variety of sectors.

With high confidence, the research connects PurpleHaze and ShadowPad to China-nexus threat actors. Furthermore, the research speculates that some PurpleHaze intrusions overlap with APT15 and UNC5174, two suspected Chinese cyberespionage groups. 

Security Leaders Weigh In

Craig Jones, Vice President of Security Operations at Ontinue:

What SentinelOne is seeing now is classic China-nexus activity — it echoes exactly what was tracked during the Pacific Rim attacks when I led the defense activity at Sophos. Back then, we saw the same playbook: highly targeted operations, stealthy implants on edge devices, and a relentless focus on long-term access to high-value infrastructure. This isn’t new — it’s a continuation of a well-honed strategy.

Casey Ellis, Founder at Bugcrowd:

What’s needed is vigilance, strong defenses, and information sharing just like this advisory — both at the general awareness and specific TTP/IOC level.

SentinelOne have long been on the leading edge of studying, analyzing, and disseminating threat intelligence around China-nexus actors, and this report demonstrates that the need to do so is only continuing to ramp up. 

Heath Renfrow, CISO and Co-founder at Fenix24:

The SentinelOne incident underscores a long-standing truth in cybersecurity: defenders are high-value targets, especially those with access to proprietary security tooling, threat intelligence, and client infrastructure. The PRC’s consistent use of advanced tradecraft and strategic targeting of security vendors like SentinelOne is not surprising, it is an extension of their broader cyberespionage doctrine, where compromising trusted nodes provides disproportionate leverage in downstream operations.

The discovery and disruption of activity clusters like PurpleHaze and ShadowPad reaffirm the need for full-spectrum threat detection, not just endpoint protection, but also persistent behavioral analytics, insider risk modeling, and vendor supply chain validation. SentinelOne’s response demonstrates the kind of operational maturity required to withstand today’s nation-state threats.

While the United States is taking stronger stances through executive orders, international cyber alliances, and increased private-sector collaboration, we must go further. What’s still needed is:

• Mandatory breach disclosure and vendor audit frameworks for all critical infrastructure sectors, including third-party risk exposure;
• A unified threat intelligence fusion center between government and vetted private incident responders — not just information sharing, but operational coordination;
• Clear offensive deterrence doctrine, backed by public attribution and economic consequences, not just indictments that rarely lead to arrests.

China’s strategy is patient and long-term. Our response must be equally sustained, strategic and unapologetically proactive.