One sentence summary – A new APT group called Sandman has emerged, targeting telecommunications service providers in Europe and Asia, utilizing a Lua-based backdoor called LuaDream to exfiltrate system and user information, with the true identity of the group proving difficult to identify, suggesting the involvement of a third-party hacker-for-hire vendor, and indicating a potentially extensive and ongoing campaign.
At a glance
- A new APT group called Sandman is targeting telecommunications service providers in Europe and Asia.
- Sandman uses a sophisticated modular backdoor based on the Lua programming language.
- The group’s activities have been observed primarily in the Middle East, Western Europe, and the South Asian subcontinent.
- Sandman utilizes a specific malware called LuaDream to exfiltrate system and user information.
- The use of LuaJIT in APT malware is relatively uncommon, but Sandman’s discovery suggests its increasing adoption by malicious actors.
The details
A new Advanced Persistent Threat (APT) group, known as Sandman, has recently emerged, targeting telecommunications service providers in Europe and Asia.
This group employs a sophisticated modular backdoor that is based on the Lua programming language.
Sandman’s activities have been observed primarily in the Middle East, Western Europe, and the South Asian subcontinent.
The group utilizes a specific malware known as LuaDream to exfiltrate both system and user information.
It is important to note that LuaDream does not directly backdoor the LuaJIT platform.
Rather, LuaJIT is exploited as a means to deploy backdoors within targeted organizations.
Identifying the true identity of the APT group behind Sandman has proven challenging.
This suggests the involvement of a third-party hacker-for-hire vendor.
This complexity adds an additional layer of difficulty in attributing the attacks to a specific entity.
The use of LuaJIT in APT malware is relatively uncommon.
However, the discovery of Sandman suggests that this technique may be increasingly adopted by malicious actors in their operations.
There are notable similarities between Sandman’s LuaDream malware and another strain of malware named “DreamLand.”
“DreamLand” was previously identified by Kaspersky in March 2023.
Sandman’s activities may date back as early as 2022.
This indicates a potentially extensive and ongoing campaign by this APT group.
This newly discovered APT group, Sandman, poses a significant threat to telecommunications service providers in Europe and Asia.
Their utilization of Lua-based backdoors and their ability to exfiltrate sensitive information highlight the need for heightened cybersecurity measures within the targeted organizations.
Article X-ray
Here are all the sources used to create this article:
A pixelated silhouette of a figure with a phone in hand, standing in front of a map showing Europe and Asia.
This section links each of the article’s facts back to its original source.
If you have any suspicions that false information is present in the article, you can use this section to investigate where it came from.
| securityweek.com |
|---|
| – A new APT group has been discovered targeting telco service providers in Europe and Asia. – |
| The group, known as Sandman, is using a sophisticated modular backdoor based on the Lua programming language. |
| – Sandman has been seen targeting telecommunications providers in the Middle East, Western Europe, and the South Asian subcontinent. – |
| The group uses a piece of malware called LuaDream to exfiltrate system and user information. – |
| The LuaDream malware does not backdoor the LuaJIT platform, but LuaJIT is used as a vehicle to deploy backdoors on targeted organizations. – |
| The identity of the APT group is difficult to determine, and it may be the work of a third-party hacker-for-hire vendor. |
| – |
| The use of LuaJIT in APT malware is rare, but the Sandman APT discovery suggests it is becoming more common. – |
| The LuaDream malware has similarities to another malware strain called “DreamLand” identified by Kaspersky in March 2023. |
| – Sandman’s activities may date back as early as 2022. |
English 
Portuguese 
Turkish 
Chinese 
German