Anti-malware vendor SentinelOne said its security teams spent the past twelve months deflecting a steady stream of cyberespionage reconnaissance probes from China-nexus threat actors now seen targeting cybersecurity vendors.
SentinelOne said the attackers never gained a foothold inside its network but there were supply chain scares when a third-party contractor that handles laptop logistics for employees was briefly compromised.
In a technical deep-dive, the company’s SentinelLabs unit documented how the same infrastructure hammered more than 70 organisations between July 2024 and March 2025, including a South-Asian government IT agency and a major European media group, before turning reconnaissance scans on SentinelOne’s own internet-facing servers.
The company said campaigns relied on well-known Chinese espionage staples. ShadowPad, a modular backdoor previously tied to APT41, showed up following dozens of breached gateways from Check Point, Fortinet and SonicWall gear, often delivered through recently disclosed exploits.
ShadowPad use was also connected to an APT cluster the company calls PurpleHaze. That group was seen using a Go-based implant that tunnels traffic over SSH-in-WebSockets, and hid command-and-control servers behind what SentinelOne calls an “operational relay box” network, a rotating fleet of VPS nodes registered in bulk and managed from China.
The SentinelOne researchers found overlaps with infrastructure and tactics long associated with APT15 and UNC5174, including Ivanti zero-days that were still under embargo when the hackers began chaining them.
“We assess with high confidence that the threat actor’s activities were limited to mapping and evaluating the availability of select Internet-facing servers, likely in preparation for potential future actions,” the company said.
SentinelOne warns that the ongoing activity underscores a blind spot in the industry’s threat model: cybersecurity vendors themselves are increasingly high-value targets because compromising them can yield visibility into thousands of downstream customers.
“Cybersecurity companies are high-value targets for threat actors due to their protective roles, deep visibility into client environments, and ability to disrupt adversary operations,” the researchers noted.
The company’s research team argues that disclosing its own near-misses, complete with file hashes, domains and IP addresses, is meant to remove the stigma of reporting attacks and make it harder for nation-state actors to reuse the same playbook.
The latest disclosure follows a separate wave of North Korean fake-worker schemes and opportunistic ransomware scans targeting the prominent EDR vendor. SentinelOne said its HR teams fielded roughly 1,000 job applications from 360 fake personas tied to North-Korean revenue-generation schemes.
The company said none of the applicants were hired but its researchers milked the data for intelligence on resume-forging and deep-fake interview techniques.
SentinelOne said profit-driven ransomware gangs have also tried to obtain console or agent access by buying stolen credentials or bribing insiders.
Related: SentinelOne Targeted by North Korean IT Workers, Ransomware Groups
Related: Justice Department Disrupts North Korean ‘Laptop Farm’ Operation
Related: Mandiant Offers Clues to Spotting and Stopping North Korean Fake IT Workers
Related: Chinese APT Tools Found in Ransomware Schemes, Blurring Attribution Lines
