Sandman
Description
(SentinelLabs) In collaboration with QGroup GmbH, SentinelLabs observed over August 2023 a threat activity cluster targeting the telecommunication sector. The activities have been conducted by a threat actor of unknown origin using a novel modular backdoor based on the LuaJIT platform. We dub this threat actor and the backdoor Sandman and LuaDream in reference to what we suspect to be the backdoor’s internal name – DreamLand client.
The activities we observed are characterized by strategic lateral movement to specific targeted workstations and minimal engagement, suggesting a deliberate approach aimed at achieving the set objectives while minimizing the risk of detection.
Names
| Name | Name-Giver |
|---|---|
| Sandman | SentinelLabs |
Country
Motivation
- Information theft and espionage
First Seen
2022
Observed Sectors
Observed Countries
Tools
Information
- https://www.sentinelone.com/labs/sandman-apt-a-mystery-group-targeting-telcos-with-a-luajit-toolkit/
- https://www.sentinelone.com/labs/sandman-apt-china-based-adversaries-embrace-lua/
Other Information
Uuid
6e7a3b00-6ff8-414a-b6b3-040ddcfd4e8c
Last Card Change
2024-01-16