Introduction
First disclosed in 2023, the Sandman APT is likely associated with suspected China-based threat clusters known for using the KEYPLUG backdoor, specifically STORM-0866/Red Dev 40. Sandman is tracked as a distinct cluster, pending additional conclusive information. A notable characteristic is its use of the LuaDream backdoor. LuaDream is based on the Lua platform, a relatively rare occurrence in the cyberespionage domain, historically associated with APTs considered Western or Western-aligned.
Activities and Tactics
Targeted Sectors: Government, Telecommunications
Country of Origin: π¨π³ China
Risk Level: High
Incident Type: Espionage
Suspected Victims: Middle East, Southeast Asian, France, Egypt, Sudan, South Sudan, Libya, Turkey, Saudi Arabia, Omanβ¦
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
Information pending cataloguing.
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
- Backdoor.Oldrea
- China Chopper
- CyberGate
- Cyber Eye RAT
Attribution and Evidence
Country of Origin: China Additional attribution information pending cataloguing.
References
References pending cataloguing.