SentinelOne has revealed new details about a failed supply chain attack linked to Chinese hackers targeting the company through one of its IT and logistics service providers.
SentinelOne, a major U.S.-based cybersecurity firm, offers endpoint detection and response (EDR/XDR) services to critical infrastructure and large enterprises. Because of this, it is a valuable target for state-backed attackers seeking to access corporate networks or learn how to bypass security tools.
The company’s research division, SentinelLabs, had first reported the attempted breach in April. In a new update, it describes the incident as part of a broader campaign that targeted over 70 organizations globally between June 2024 and March 2025. These targets spanned sectors like government, telecom, media, finance, and IT.
SentinelOne was targeted twice — once in a reconnaissance effort and again in an attempted supply chain attack. The attackers, identified as APT15 (“PurpleHaze”) and APT41 (“ShadowPad”), used fake domains impersonating SentinelOne and exploited known vulnerabilities in systems like Ivanti, Check Point, and Fortinet devices.
In early 2025, APT41 reportedly deployed ShadowPad malware through PowerShell against a third-party logistics company linked to SentinelOne. The malware delayed its execution to avoid detection, rebooted the system to clear memory, and used a remote access tool called Nimbo-C2 to steal files and execute commands.
Despite these efforts, SentinelOne confirmed that its systems and software were not compromised. The company warns that these incidents highlight how advanced cyberespionage groups are now targeting even the firms that protect digital infrastructure.
