ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > Sandman

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Sandman

NamesSandman (SentinelLabs)
CountryChina China
MotivationInformation theft and espionage
First seen2022
Description(SentinelLabs) In collaboration with QGroup GmbH, SentinelLabs observed over August 2023 a threat activity cluster targeting the telecommunication sector. The activities have been conducted by a threat actor of unknown origin using a novel modular backdoor based on the LuaJIT platform. We dub this threat actor and the backdoor Sandman and LuaDream in reference to what we suspect to be the backdoor’s internal name – DreamLand client.

The activities we observed are characterized by strategic lateral movement to specific targeted workstations and minimal engagement, suggesting a deliberate approach aimed at achieving the set objectives while minimizing the risk of detection.
ObservedSectors: Telecommunications.
Countries: Middle East, Western Europe, and South Asia.
Tools usedLuaDream.
Information<https://www.sentinelone.com/labs/sandman-apt-a-mystery-group-targeting-telcos-with-a-luajit-toolkit/>
<https://www.sentinelone.com/labs/sandman-apt-china-based-adversaries-embrace-lua/>

Last change to this card: 16 January 2024

Download this actor card in PDF or JSON format

Previous: SandCat
Next: Sandworm Team, Iron Viking, Voodoo Bear

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]