Reconnaissance activities targeting American cybersecurity company Sentinel Laws were part of a broad set of partially related intrusions to several targets between July 2024 and March 2025.
“The victims include more than 70 organizations across South Asian government agencies, European media organizations and a wide range of sectors,” security researchers Aleksandar Milenkoski and Tom Hegel said in a report released today.
Some of the covered sectors include manufacturing, government, finance, communications, and research. Also among the victims were IT services and logistics companies that managed hardware logistics for Sentinelon employees at the time of the violation in early 2025.
The malicious activity is attributed to high confidence in Chinese and Nexus threat actors, with some of the attacks tied to a threat cluster called purple goby, which is reportedly published as Chinese cyberspy group APT15 and UNC5174.
In late April 2024, Sentinelone first revealed a purple goby-related reconnaissance activity that targets some servers that can be intentionally accessed on the Internet through the “virtue of functionality.”
“Threat actors’ activities were limited to mapping and assessment of the availability of selected Internet-facing servers in preparation for potential future actions,” the researchers said.
It is currently unclear whether the attacker’s intention is to target IT logistics organizations or whether they plan to expand their focus to downstream organizations. Further investigation into the attack revealed six different activity clusters (designated from A to F) dating back to June 2024.
The clusters are listed below –
Activity A: Intrusions into South Asian Government Organizations (June 2024) Activity B: Set of intrusions targeting organizations around the world (July 2024 to March 2025) Activity C: Intrusions into IT Services and Logistics Company (Early 2025) Activity Activity: Intrusions into South Asian Government Activities (October 2024) Activity: F: Intrusions into major European media organizations (Late September 2024)
The June 2024 attack on government businesses is said to have led to the deployment of Shadowpad obfuscated using Scatterbrain, as previously detailed by Sentinelon. Shadowpad artifacts and infrastructure overlap with the recent ShadowPad campaign that provided Nailaolocker, known as the ransomware family, following the use of checkpoint gateway devices.
Then, in October 2024, the same tissue intended to drop a GO-based reverse shell called GOReshell that uses SSH to connect to infected hosts. Sentinelone says the same backdoor is being used in connection with the September 2024 attack targeting major European media organizations.
Also, what these two activity clusters have in common is the use of tools developed by a team of IT security experts going under the name Hacker Choice (THC). Development marks THC’s software program when it is first abused by state-sponsored actors.
Sentinelone attributes Activity F to Chinese and Nexus actors and has a loose affiliation with the “early access broker” that Google Mandiant tracked under the name C5174 (also known as Uteus or Uetus). It is noteworthy that threat groups have recently linked to the aggressive exploitation of SAP NetWeaver’s flaws to provide Goreverse, a variant of Goreshell. Cybersecurity companies collectively track activities d, e, and f as purple gobys.
“The threat actors utilized orbs [operational relay box] The network infrastructure, which rated its vulnerability from China and exploited CVE-2024-8963 vulnerability along with CVE-2024-8963 CVE-2024-8190, has fallen into other threats after these systems disrupt access just days before the vulnerability was revealed.
Source link
