CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?



New ‘Sandman’ APT Group Hitting Telcos With Rare LuaJIT Malware

New and mysterious APT Sandman spotted targeting telcos in Europe and Asia as part of a cyberespionage campaign.

Sandman APT

A new and mysterious APT group has been spotted targeting telco service providers in Europe and Asia as part of what appears to be a cyberespionage campaign, according to a joint investigation by SentinelLabs and QGroup GmbH.

According to SentinelLabs researcher Aleksandar Milenkoski, the shadowy APT group is using a sophisticated modular backdoor based on Lua, the lightweight cross-platform programming language designed primarily for embedded use in applications.

“Sandman has deployed a novel modular backdoor utilizing the LuaJIT platform, a relatively rare occurrence in the threat landscape,” Milenkoski said, noting that the entire operation is characterized by a cautious and deliberate approach: minimal and strategic movements within infected networks, and a larger goal to minimize detection risk.

The advanced threat actor, tagged as Sandman, has been seen targeting telecommunications providers across the Middle East, Western Europe and the South Asian subcontinent.

During a presentation at the LABScon security conference, Milenkoski explained that the group is using a piece of malware called LuaDream that is capable of exfiltrating system and user information, paving the way for additional precision attacks.

“The implementation of LuaDream indicates a well-executed, maintained, and actively developed project of a considerable scale,” the SentinelLabs researcher said, noting that it is difficult to pin down the identity of the APT group. 

“The 36 distinct LuaDream components we identified and the support for multiple protocols for C2 communication indicate a project of a considerable scale. The LuaDream staging chain is designed to evade detection and thwart analysis while deploying the malware directly into memory,” he added.

SentinelLabs has clarified that the LuaDream malware does not backdoor the LuaJIT platform. Instead, LuaJIT is used by the threat actor as a vehicle to deploy backdoors on targeted organizations.

Advertisement. Scroll to continue reading.

While available data points to a cyberespionage adversary with a strong focus on targeting telcos across diverse geographical regions, Milenkoski said LuaDream cannot be associated with any known threat actor, suggesting it may be the work of a third-party hacker-for-hire vendor.

SentinelLabs researchers also called attention to the use of the Lua programming language, noting that the use of LuaJIT in the context of APT malware is very rare. 

In the past, threat hunters have seen highly modular, Lua-utilizing malware associated with high-end APTs like Flame, Animal Farm and Project Sauron, but the Sandman APT discovery suggests the developmental paradigm has trickled down to a broader set of actors, SentinelLabs researchers posited at the conference.

Interestingly, the LuaDream malware has traits linking it to another malware strain named “DreamLand”, as identified by Kaspersky in March 2023 during APT activities against a government entity in Pakistan. 

These correlations hint at a possible broader campaign, with Sandman’s activities perhaps dating back as early as 2022, Milenkoski said.

Related: Researchers Crowdsourcing Effort to ID Metador APT

Related:Strider’ Espionage Group Targets China, Russia, Europe

Related: NSA Used Simple Tools to Detect Threat Actors on Hacked Devices

Related: Experts Find 2007 Variant of Malware Linked to French Intelligence

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.


Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.


On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Ask any three people to define cyberwar and you will get three different answers. But as global geopolitics worsen and aggressive cyberattacks increase, this...


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...