Threat Research

Dark Web Profile: Sandman APT – SOCRadar® Cyber Intelligence Inc.

Securonix

The Sandman APT group has drawn major attention for targeting telecommunications providers in Europe, the Middle East, and South Asia, employing LuaDream, a LuaJIT-based modular backdoor, to achieve stealthy espionage with minimal footprints. Research ties Sandman to China-based actor clusters such as STORM-0866/Red Dev 40 and the KEYPLUG backdoor, underscoring sophisticated evasion and multi-protocol C2 operations. #SandmanAPT #LuaDream #LuaJIT #KEYPLUG #STORM-0866 #RedDev40

Keypoints

  • Sandman APT targets telecommunications providers in Europe, the Middle East, and South Asia with a focus on espionage.
  • The group uses LuaDream, a LuaJIT-based modular backdoor, designed to minimize detection and operate with a multi-stage, in-memory staging process.
  • LuaDream staging relies on fully-formed DLLs (e.g., ualapi.dll, MemoryLoadPex64.dll, common.dll) and LuaJIT bytecode to evade analysis.
  • Anti-analysis techniques include hiding threads with NtSetInformationThread and in-memory mapping to bypass EDR hooks.
  • LuaDream communicates with C2 servers ssl.explorecell[.]com and mode.encagil[.]com, recently shifting to load-balancing infrastructure to obscure hosting locations.
  • Sandman shows connections with other China-based actors (STORM-0866/Red Dev 40) and uses tools like KEYPLUG, indicating a collaborative threat landscape.
  • MITRE-like TTPs observed include spear phishing (initial access), multi-protocol C2, obfuscation, in-memory execution, and data exfiltration over C2 channels.

MITRE Techniques

  • [T1566] Phishing – Initial access via spear phishing. Quote: (‘MITRE-like TTPs observed include spear phishing (initial access).’)
  • [T1071] Multi-Protocol C2 – C2 communication using multiple protocols. Quote: (‘multi-protocol C2 operations’)
  • [T1027] Obfuscated Files or Information – Obfuscation used to evade analysis. Quote: (‘obfuscation’)
  • [T1059] Command and Scripting Interpreter – Lua scripting via LuaJIT-based backdoor. Quote: (‘LuaDream, a LuaJIT-based modular backdoor’)
  • [T1055.003] Thread Execution Hijacking – Hiding threads with NtSetInformationThread to evade detection. Quote: (‘hiding threads with NtSetInformationThread’)
  • [T1041] Exfiltration Over C2 Channel – Data exfiltration over C2 channels. Quote: (‘data exfiltration over C2 channels’)

Indicators of Compromise

  • [Domains] Context – dan.det-ploshadka[.]com, mode.encagil[.]com, ssl.articella[.]com, ssl.e-novauto[.]com, ssl.explorecell[.]com, yum.luxyries[.]com
  • [IP Addresses] Context – 146.70.157[.]20, 172.67.216[.]63
  • [Certificate Thumbprints] Context – a7932112b7880c95d77bc36c6fcced977f4a5889, fc8fdf58cd945619cbfede40ba06aada10de9459
  • [SHA1 File Names] Context – 1cd0a3dd6354a3d4a29226f5580f8a51ec3837d4, 27894955aaf082a606337ebe29d263263be52154
  • [LuaDream Folder File Paths] Context – %ProgramData%FaxConfig, %ProgramData%FaxLib
  • [C2 Server Domains] Context – mode.encagil[.]com, ssl.explorecell[.]com

Read more: https://socradar.io/dark-web-profile-sandman-apt/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint