Researchers have uncovered intriguing parallels between the elusive advanced persistent threat (APT) known as Sandman and a threat cluster based in China, notorious for deploying the KEYPLUG backdoor.

The collaborative report from SentinelOne, PwC, and the Microsoft Threat Intelligence team reveals these findings. The investigation centers on the coexistence of LuaDream and KEYPLUG, two distinct types of Lua-based malware used by attackers within the same targeted networks. This symbiotic relationship adds a layer of complexity to the cyber landscape, emphasizing the need for a closer examination of these interconnected threats.

Under the aliases, Storm-0866 and Red Dev 40, Microsoft and PwC closely monitor their activities.

According to a report from The Hacker News, Sandman and Storm-0866/Red Dev 40 disclosed, “We share infrastructure control and management practices, such as choosing hosting providers and following domain naming conventions.”

“The implementation of LuaDream and KEYPLUG reveals indicators of shared development practices and overlaps in functionalities and design, suggesting shared functional requirements by their operators.”

SentinelOne initially brought Sandman to public attention in September 2023, detailing its attacks on phone companies in the Middle East, Western Europe, and South Asia using a novel implant called LuaDream. The reported incidents occurred in August 2023.

In contrast, Storm-0866/Red Dev 40 represents a recently identified APT group primarily focusing on communications companies and government agencies in the Middle East and South Asia.

One of Storm-0866’s pivotal tools is KEYPLUG, a backdoor initially exposed by Google-owned Mandiant during attacks by the China-based APT41 (also recognized as Brass Typhoon or Barium). These attacks infiltrated six U.S. state government networks from May 2021 to February 2022.

Fake Lockdown Mode on Iphone

Recorded Future said in a report released in March that KEYPLUG use was linked to a Chinese government-backed threat group called RedGolf, which “closely overlaps with threat activity reported under the aliases of APT41/BARIUM.”

“A close examination of the implementation and C2 infrastructure of these distinct malware strains revealed indicators of shared development as well as infrastructure control and management practices, and some overlaps in functionalities and design, suggesting shared functional requirements by their operators,” the companies said.

Distinctive similarities emerge, notably in domains such as “dan.det-ploshadka[.]com” and “ssl.e-novauto[.]com.” These LuaDream C2 domains have dual roles, also serving as a KEYPLUG C2 server, and are interconnected with Storm-0866.

Another intriguing commonality between LuaDream and KEYPLUG is their support for QUIC and WebSocket protocols in C2 interactions. This similarity suggests a shared purpose and potentially indicates the presence of a digital quartermaster overseeing coordinated activities.

“The order in which LuaDream and KEYPLUG evaluate the configured protocol among HTTP, TCP, WebSocket, and QUIC is the same: HTTP, TCP, WebSocket, and QUIC in that order,” they said. “The high-level execution flows of LuaDream and KEYPLUG are very similar.”

The adoption of Lua signifies a notable trend among threat actors, encompassing both state-sponsored entities and those engaged in cybercrime. There is a growing inclination towards utilizing unconventional programming languages like DLang and Nim as strategic tools to maintain a covert presence within victim environments for extended durations.

Over the past decade, only a handful of instances involving Lua-based viruses have been observed in the wild. Prominent examples within this category include Flame, Animal Farm (also recognized as SNOWGLOBE), and Project Sauron, highlighting a select group of instances where Lua has been leveraged as a means for sustained and discreet operations.

“There are strong overlaps in operational infrastructure, targeting, and TTPs associating the Sandman APT with China-based adversaries using the KEYPLUG backdoor, STORM-0866/Red Dev 40 in particular,” the researchers stated. “This highlights the complex nature of the Chinese threat landscape.”




Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.


About Rhyno Cybersecurity Services

Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.

Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.

This website uses cookies to improve your online experience. By continuing, we will assume that you are agreeing to our use of cookies. For more information, visit our Cookie Policy.

Privacy Preference Center