← All Threat Actors
Threat Actor Profile

Sandman APT

No known aliases in database
▲ High Threat
First disclosed in 2023, the Sandman APT is likely associated with suspected China-based threat clusters known for using the KEYPLUG backdoor, specifically STORM-0866/Red Dev 40. Sandman is tracked as a distinct cluster, pending additional conclusive information. A notable characteristic is its use of the LuaDream backdoor. LuaDream is based on the Lua platform, a relatively rare occurrence in the cyberespionage domain, historically associated with APTs considered Western or Western-aligned.
Origin China
Sponsor China
Motivation Espionage

Target Sectors

Government Telecommunications

External Resources

CISA Advisories ↗

Related Intelligence

Hacking the mainframe…

LINK COPIED TO CLIPBOARD