Sandman APT | China-Based Adversaries Embrace Lua

By Aleksandar Milenkoski, Bendik Hagen (PwC), and Microsoft Threat Intelligence

Executive Summary

• The Sandman APT is likely associated with suspected China-based threat clusters known to use the KEYPLUG backdoor, in particular a cluster jointly presented by PwC and Microsoft at Labscon 2023 – STORM-0866/Red Dev 40.


• The Sandman’s Lua-based malware LuaDream and the KEYPLUG backdoor were observed co-existing in the same victim environments.


• Sandman and STORM-0866/Red Dev 40 share infrastructure control and management practices, including hosting provider selections, and domain …

adversaries apt backdoor china cluster clusters dev executive intelligence keyplug labscon lua malware malware analysis microsoft microsoft threat intelligence pwc sandman sandman apt storm threat threat clusters threat intelligence