Summary:
SentinelOne has observed a sustained and diverse range of cyber intrusion attempts targeting its environment, highlighting a critical but often overlooked risk surface: security vendors themselves. As a leading cybersecurity company, SentinelOne has become a high-value target for both financially motivated cybercriminals and advanced nation-state threat actors. Recent attacks have included North Korean IT workers posing as job candidates in an attempt to infiltrate the company, ransomware operators seeking to exploit its security platform, and Chinese state-sponsored groups conducting reconnaissance against entities associated with SentinelOne’s operations and clientele.


SentinelOne has been targeted by Chinese state-sponsored adversaries, most notably an intrusion cluster it tracks as “PurpleHaze.” This activity came to light following a 2024 attack on a hardware logistics provider formerly contracted by SentinelOne. The attackers conducted operations across multiple sectors, including an intrusion into a South Asian government-affiliated IT provider. The PurpleHaze cluster leveraged a sophisticated operational relay box (ORB) infrastructure and deployed a custom Go-based backdoor known as GoReShell, which utilized reverse SSH techniques for persistent access.


SentinelLabs attributes PurpleHaze to a China-nexus actor with strong links to APT15, also known as Nylon Typhoon. The group has a history of targeting telecommunications, information technology, and government sectors worldwide. The ORB infrastructure used in these attacks was traced to Chinese operational control and has been seen supporting multiple Chinese cyber espionage operations.


Further investigation revealed a related campaign involving ShadowPad, a modular backdoor commonly used by Chinese threat groups including APT41. In June 2024, SentinelLabs discovered ShadowPad samples targeting the same South Asian government entity previously compromised by PurpleHaze. These samples were obfuscated using ScatterBrain, an advanced technique also documented by Google’s Threat Intelligence Group. ShadowPad, which has also been deployed alongside ransomware in some intrusions, was observed targeting over 70 organizations globally between July 2024 and March 2025, including entities in manufacturing, finance, government, and research. The threat actor in these cases primarily gained access by exploiting an n-day vulnerability in CheckPoint gateway devices.


Although SentinelOne’s internal systems were not breached, the indirect targeting of a logistics partner underscored the risks posed by third-party service providers. This prompted a thorough internal review of asset inventories, procurement processes, deployment scripts, and segmentation policies. SentinelOne emphasized the need for real-time monitoring of supply chain entities and urged the broader cybersecurity community to treat all business pipelines.


Security Officer Comments:
One of the most persistent campaigns tracked involved DPRK-affiliated IT workers submitting fraudulent job applications. SentinelOne uncovered approximately 1,000 application attempts tied to around 360 fake personas, some of which directly targeted roles on the SentinelLabs threat intelligence team. These actors used fabricated or stolen identities and sophisticated social engineering techniques to appear as legitimate candidates. In response, SentinelOne implemented proactive engagement measures during the recruitment process, integrating lightweight vetting mechanisms and behavioral analytics into its hiring workflows. This cross-functional collaboration between security and HR enabled early detection and intelligence collection on DPRK adversary tactics, which included referral requests and front company operations used to facilitate financial laundering and infrastructure support.


An emerging tactic bypassing underground markets altogether is exemplified by the Nitrogen ransomware group. Instead of purchasing access, Nitrogen impersonates legitimate businesses by creating spoofed domains, cloned websites, and fake infrastructure to acquire licensed security software through lightly vetted resellers. Once obtained, these products are used in private environments to evaluate and refine malware campaigns. This technique underscores a new threat vector: weak Know Your Customer enforcement and limited diligence among smaller resellers. SentinelOne has responded by collaborating with sales and customer success teams, embedding threat detection logic into commercial workflows, and automating the analysis of suspicious licensing activity.


Suggested Corrections:

Sentinel One has published the following mitigations for this campaign:

• Distribute Threat Intelligence Across Operational Stakeholders
  • Organizations should proactively share campaign-level threat intelligence with business units beyond the traditional security org—particularly those managing vendor relationships, logistics, and physical operations. Doing so enables faster detection of overlap with compromised third parties and supports early reassessment of exposure through external partners.
• Integrate Threat Context Into Asset Attribution Workflows
  • Infrastructure and IT teams should collaborate with threat intelligence functions to embed threat-aware metadata into asset inventories. This enables more responsive scoping during incident response and enhances the ability to trace supply chain touchpoints that may be at risk.
• Expand Supply Chain Threat Modeling
  • Organizations should refine their threat modeling processes to explicitly account for upstream supply chain threats, especially those posed by nation-state actors with a history of leveraging contractors, vendors, or logistics partners as indirect access vectors. Tailoring models to include adversary-specific tradecraft enables earlier identification of unconventional intrusion pathways.

Link(s):
https://www.sentinelone.com/labs/to...ybersecurity-company-from-todays-adversaries/