Recent cybersecurity reports reveal that a China-linked cyber espionage group has conducted a series of intrusions targeting more than 70 organizations across multiple sectors, including manufacturing, finance, and government. The analysis by SentinelOne indicates that these activities occurred from July 2024 to March 2025 and included a South Asian government entity and a European media organization, among others. The security researchers, Aleksandar Milenkoski and Tom Hegel, published their findings detailing the scale and nature of the attacks.
According to the report, the initial reconnaissance efforts were focused on American cybersecurity firm SentinelOne itself, which was intentionally exposing its servers to the internet for functionality. The researchers noted that while the attackers seem to have been primarily evaluating these internet-facing servers, there remains uncertainty regarding their ultimate intentions—whether to compromise only the targeted logistics organization or to expand their reach further.
The malicious activity is linked to a cluster named PurpleHaze, closely associated with Chinese state-sponsored threat actors previously identified as APT15 and UNC5174. SentinelOne’s disclosure in April 2024 indicated these reconnaissance operations but did not initially uncover the broader implications of the attacks, which have now escalated into a multi-faceted cyber offensive.
Key facets of the attacks include various activity clusters, notably intrusions beginning with a South Asian government entity and leading up to activities against a logistics firm that was handling hardware for SentinelOne employees. As investigations unfold, it is revealed that tools associated with the threat have made use of systems developed by The Hacker’s Choice (THC), marking the first time these tools have been hijacked by state actors. This escalation highlights the increasing sophistication of cyber threats in an era where numerous sectors face significant risks.