In a sweeping cyberespionage campaign with potentially global ramifications, researchers at SentinelLABS have uncovered coordinated intrusion attempts by a threat actor linked to China. The operation, ongoing since July 2024, has targeted more than 70 organizations worldwide, including critical infrastructure and cybersecurity vendors.
SentinelLABS, the threat intelligence unit of cybersecurity firm SentinelOne, published its detailed findings on June 9. According to the report, their own infrastructure came under attack in October 2024, prompting a deeper investigation that revealed the involvement of the sophisticated “PurpleHaze” cyber-espionage framework. This framework was found to be connected to a larger, previously identified malware infrastructure known as ShadowPad.
“The PurpleHaze and ShadowPad activity clusters span multiple partially related intrusions into different targets occurring between July 2024 and March 2025,” the SentinelLABS report stated. “The victimology includes a South Asian government entity, a European media organization, and more than 70 organizations across a wide range of sectors.”
While SentinelOne’s systems were not compromised, the attackers’ attempt to infiltrate the company itself underscores a chilling trend: cybersecurity vendors are increasingly becoming direct targets of state-linked espionage.
Global Scope and Sector-Wide Targeting
The targets of this campaign span a diverse range of industries, demonstrating the attackers’ broad intelligence-gathering objectives. In addition to cybersecurity firms, organizations in the following sectors were affected:
- Food and agriculture
- Energy and telecommunications
- Healthcare and manufacturing
- Finance
- Government agencies
According to a spokesperson from SentinelLABS, the first signs of malicious activity were observed in June 2024, when a South Asian government organization experienced a breach. This was quickly followed by the ShadowPad campaign in July 2024, which persisted through March 2025. The October 2024 PurpleHaze incident, which affected SentinelOne’s hardware management partner, further tied the incidents together and confirmed a pattern of sophisticated and persistent threat activity.
Technical Sophistication and Espionage Tactics
The attackers employed an Operational Relay Box (ORB) network, a series of compromised servers used to obscure the origin of malicious traffic. They also exploited multiple vulnerabilities to remain undetected across varying environments. This technical precision, along with the scale and patience demonstrated in the campaign, points toward state-sponsored capabilities, with attribution leaning heavily toward China.
SentinelLABS researchers suggest that these incidents form part of a coordinated cyberespionage initiative, likely intended to collect geopolitical, economic, and technological intelligence. The inclusion of cybersecurity vendors among the targets marks a rare and concerning tactic, possibly aimed at penetrating the very defenses that protect the world’s digital infrastructure.
“This research underscores the persistent threat Chinese cyberespionage actors pose to global industries and public sector organizations, while also highlighting a rarely discussed target they pursue: cybersecurity vendors,” the SentinelLABS team noted.
Implications and What’s Next
This revelation follows previous disclosures about the use of EagleMsgSpy, a China-developed spyware tool used to monitor Android devices domestically. The convergence of both domestic surveillance and international cyber operations suggests a larger and more aggressive digital policy being executed by Beijing-linked entities.
Cybersecurity experts now warn of heightened risks to private and public institutions alike, especially those managing critical infrastructure or holding sensitive geopolitical data.
User Intent Answer: Why Does This Matter?
For readers wondering about the broader significance: this isn’t just about one company or a handful of breaches. The SentinelLABS revelations highlight the evolving scope of cyber warfare, where even cybersecurity firms are no longer behind the front lines but on them. The attacks underscore how nation-state-backed cyberespionage has become a global threat, capable of disrupting supply chains, leaking sensitive government and corporate data, and undermining trust in digital security systems.
As investigations continue, the cybersecurity community is calling for tighter collaboration between private companies, governments, and global security bodies to improve detection and response efforts. Enhanced transparency and investment in next-generation security technologies are also seen as critical steps in countering such deeply embedded threats.