Hackers target cybersecurity companies with China, governments with global espionage

Government entities violated twice in a few months

From June 2024 to March 2025, the cluster of activity tracked by SentinelOne involves ShadowPad, a modular backdoor that uses scattered brain technology to confuse and affects South Asian government entities as well as numerous corporate victims around the world. A specific active cluster involving hacking into the entity was observed in June 2024.

However, in October 2024, the same entity was restarted in another cluster using the “goreshell” tool (reverse SSH variant) and the infrastructure linked to the APT15. The infrastructure used in this cluster is parallel to other parallel activities, and the Sentinelone attribute overlaps in purple.

In early 2025, it broke into a third-party IT logistics provider that manages Sentinelone’s hardware. Although the company has not been compromised, Sentinelone found the incident to be part of the wider ShadowPad movement.

“Using Command and Control (C2) NetFlow and Sentinelone telemetry data, Sentinellabs has found more than 70 victims in departments such as manufacturing, government, finance, telecommunications and research,” Sentinelone researchers said in a blog post. “Our Threat Discovery and Response (TDR) team has proactively contacted potentially affected Sentinel customers.”