Researchers from SentinelLABS, the threat intelligence and research division of cybersecurity firm SentinelOne, have uncovered a China-linked cyber espionage group. The hackers have been targeting over 70 organizations and cybersecurity companies worldwide since July 2024.

According to the report, published on June 9, the SentinelLABS team detected a cyberattack targeting their own company, SentinelOne, in October 2024. The attack was later linked to the PurpleHaze cyber-espionage framework.

Earlier this year, SentinelLABS also helped dismantle a widespread ShadowPad operation, which impacted the company responsible for managing SentinelOne’s staff hardware. Fortunately, the cybersecurity company was not compromised, but researchers noticed a connection between the incidents.

“The PurpleHaze and ShadowPad activity clusters span multiple partially related intrusions into different targets occurring between July 2024 and March 2025,” state the report. “The victimology includes a South Asian government entity, a European media organization, and more than 70 organizations across a wide range of sectors.”

The experts added that the malicious actors are most likely linked to China. “This research underscores the persistent threat Chinese cyberespionage actors pose to global industries and public sector organizations, while also highlighting a rarely discussed target they pursue: cybersecurity vendors,” added the noted.

According to Cybersecurity Dive, a spokesperson from SentinelLABS explained that in addition to cybersecurity firms, the hackers also targeted sectors such as food and agriculture, energy, telecommunications, healthcare, manufacturing, finance, and government agencies.

Researchers first detected an intrusion to a government entity in South Asia in June 2024, followed by the global ShadowPad campaign in July 2024, which they tracked through March 2025. The PurpleHaze activity, observed in October 2024, was later linked to the ShadowPad attack in July.

The suspected cybersespionage actors worked through a operational relay box (ORB) network, exploiting multiple vulnerabilities to evade detection. The sophistication of the attacks strongly suggests state-sponsored efforts to monitor various sectors around the world.

A few months ago, it was also revealed that Chinese authorities used “EagleMsgSpy,” a spyware tool, to monitor Android devices within the country.