Reconnaissance activities targeting American cybersecurity company Sentinel Laws were part of a broad set of partially related intrusions to several targets between July 2024 and March 2025.
“The victims include more than 70 organizations across South Asian government agencies, European media organizations and a wide range of sectors,” Sentinelon security researchers Aleksandar Milenkoski and Tom Hegel said in a report released today.
Some of the covered sectors include manufacturing, government, finance, communications, and research. Also among the victims were IT services and logistics companies that managed hardware logistics for Sentinelon employees at the time of the violation in early 2025.
Malicious activities are attributed to high confidence in Chinese and threat actors, with some of the attacks tied to threat clusters. Purple Haswhich overlaps with the Chinese Cyberspy Group, published as APT15 and UNC5174.
In late April 2024, Sentinelone first revealed a purple goby-related reconnaissance activity that targets some servers that can be intentionally accessed on the Internet through the “virtue of functionality.”
“Threat actors’ activities were limited to mapping and assessment of the availability of selected Internet-facing servers in preparation for potential future actions,” the researchers said.
It is currently unclear whether the attacker’s intention is to target IT logistics organizations or whether they plan to expand their focus to downstream organizations. Further investigation into the attack revealed six different activity clusters (designated from A to F) dating back to June 2024.
The clusters are listed below –
- Activity A: Invasion of South Asian government agencies (June 2024)
- Activity B: A series of invasions targeting organizations around the world (July 2024 to March 2025)
- Activity C: Invasion of IT Services and Logistics Company (early 2025)
- Activity D: Invasion of the same South Asian government agency compromised (October 2024)
- Activity E: Reconnaissance activities targeting Sentinel Lawn servers (October 2024)
- Activity F: Invasion of major European media organizations (late September 2024)
The June 2024 attack on government businesses is said to have led to the deployment of Shadowpad obfuscated using Scatterbrain, as previously detailed by Sentinelon. Shadowpad artifacts and infrastructure overlap with the recent ShadowPad campaign that provided Nailaolocker, known as the ransomware family, following the use of checkpoint gateway devices.
Then, in October 2024, the same tissue intended to drop a GO-based reverse shell called GOReshell that uses SSH to connect to infected hosts. Sentinelone says the same backdoor is being used in connection with the September 2024 attack targeting major European media organizations.
Also, what these two activity clusters have in common is the use of tools developed by a team of IT security experts going under the name Hacker Choice (THC). Development marks THC’s software program when it is first abused by state-sponsored actors.
Sentinelone attributes Activity F to Chinese and Nexus actors and has a loose affiliation with the “early access broker” that Google Mandiant tracked under the name C5174 (also known as Uteus or Uetus). It is noteworthy that threat groups have recently linked to the aggressive exploitation of SAP NetWeaver’s flaws to provide Goreverse, a variant of Goreshell. Cybersecurity companies collectively track activities d, e, and f as purple gobys.
“Threat actors leveraged the ORB (Operational Relay Box) network infrastructure, which they rated as being operated from China, and used the vulnerability of CVE-2024-8963 along with CVE-2024-8190 to establish an early footing just days before the vulnerability was revealed,” the researchers said. “After compromising on these systems, UNC5174 is suspected of transferring other threat access.”
