Connect with us

Hi, what are you looking for?



Sandman Cyberespionage Group Linked to China

A recent emergence on the threat landscape, the Sandman APT appears linked to a Chinese hacking group.

Sandman APT

The recently outed advanced persistent threat (APT) actor Sandman appears linked to China, SentinelOne, Microsoft, and PwC say in a joint report.

The hacking group was brought into the spotlight at the LABScon security conference, standing out because of the sophisticated modular backdoor LuaDream, which has been built using the cross-platform programming language Lua.

Initial reporting drew attention to Sandman’s targeting of telecom providers in the Middle East, Europe, and South Asia, likely for cyberespionage purposes, but did not link the activity to any known APTs.

The joint report, however, draws links between the observed Sandman APT attacks and the activity of STORM-0866/Red Dev 40, a suspected China-based threat actor known to be using the KeyPlug backdoor.

KeyPlug was initially detailed in March 2022 after being used by the Chinese state-sponsored group APT41 (also known as Barium, Brass Typhoon, Wicked Panda, Wicked Spider, Winnti) in attacks against a US government entity.

The malware was believed to be exclusive to APT41, but “Microsoft and PwC have subsequently identified at least three other developing clusters involving KeyPlug, including STORM-0866/Red Dev 40,” suggesting that it is, in fact, shared among multiple Chinese threat actors, SentinelOne notes.

LuaDream and KeyPlug have been observed on the same victim environments, and even on the same endpoints. In one attack, KeyPlug was deployed in May 2023, followed by LuaDream three months later, and both remained active simultaneously for roughly two weeks.

The investigation into these threats revealed overlaps in functionality and design, pointing to shared functional requirements and indicating potential shared development and infrastructure control and management practices.

Advertisement. Scroll to continue reading.

“Our findings on Sandman indicate that the Lua development paradigm is being adopted by a broader set of cyberespionage threat actors for the modularity, portability, and simplicity that the Lua scripting language offers,” SentinelOne notes.

The security researchers were able to link the APTs through the use of digital certificates, IPs, cloud-based reverse proxy infrastructure, hosting providers, and domain naming conventions.

A comparison between KeyPlug and LuaDream has revealed the use of identical encrypting keys, similar high execution flaws, and direct overlaps in implementation, such as the support for the same protocols for command-and-control (C&C) communication.

“We assess that there are strong overlaps in operational infrastructure, targeting, and TTPs associating the Sandman APT with China-based adversaries using the KEYPLUG backdoor, STORM-0866/Red Dev 40 in particular. This highlights the complex nature of the Chinese threat landscape,” SentinelOne concludes.

Related: China’s Offensive Cyber Operations in Africa Support Soft Power Efforts

Related: China-Linked ‘Redfly’ Group Targeted Power Grid

Related: China-Linked APT15 Targets Foreign Ministries With ‘Graphican’ Backdoor

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.


On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Ask any three people to define cyberwar and you will get three different answers. But as global geopolitics worsen and aggressive cyberattacks increase, this...