It has been discovered that there is a strong coincidence in the targeting and tactics of Sandman, a mysterious advanced persistent threat (APT) that has been identified to use backdoors referred to as "Keypluggs," and KEYPLUG, a China-based threat cluster. 

Following this assessment, SentinelOne, PwC, and Microsoft Threat Intelligence have been working together on this since they have determined that the adversary's Lua-based malware, LuaDream, and the KEYPLUG have both been found to cohabit in the victim network alongside each other. 

Microsoft, SentinelLabs and PwC have collectively alerted consumers and businesses to the fact that threat actors who were allegedly linked to Chinese cybercriminals have deployed an advanced persistent threat (APT) referred to as Sandman to infiltrate IT environments with malware. 

An expert at SentinelOne, Aleksandar Milenkoski, said that Sandman has now been linked to STORM-0866/Red Dev 40, a threat actor aligned with the Chinese government's national interests, meaning that STORM-0866/Red Dev 40 targets Chinese companies. 

Following a series of cyberattacks carried out on telcos across the Middle East, Western Europe, and South Asia, Sandman was first identified in August. These attacks utilized a backdoor referred to as "LuaDream," which is a programming language that is based on Lua, as well as a backdoor titled "Keyplug," which is a programming language that is based on C++. 

SentinelOne revealed the existence of Sandman for the first time in September 2023, covering attacks on telecommunications providers in Europe, the Middle East, and South Asia by using an implant codenamed LuaDream that was used in its attacks. 

In August 2023, a record of intrusions was made. On the other hand, Storm-0866/Red Dev 40 refers to a cluster of APTs primarily targeting entities located in the Middle East and South Asia, such as telecommunication providers and government agencies, that represent an emerging APT network. 

Storm-0866 has several powerful tools at his disposal, one of which is KEYPLUG. This backdoor was first exposed by Google-owned Mandiant in the context of attacks conducted by the Chinese-based APT41 (also known as Brass Typhoon or Barium) actor between May 2021 and February 2022 in which he infiltrated six state government systems. 

The Recorded Future company reported earlier this month that the use of KEYPLUG was being used by a Chinese state-sponsored threat activity group it is tracking under the name RedGolf, which they claimed was "closely aligned with the threat activity produced by APT41/Barium. As part of its report, Mandiant informed the public that they first discovered the Keyplug backdoor in March 2022, which was used by a known Chinese group, APT41. 

Additionally, Microsoft and PwC teams discovered that the Keyplug backdoor was passed around to multiple other Chinese-based threat groups, according to the report. Researchers believe that the new obfuscation tools provided by Keyplug malware give the group a new advantage compared to previous versions. 

According to the report, the STORM-0866/Red Dev 40 cluster differs from the others because of specific malware characteristics, such as the unique encryption keys used to communicate with KEYPLUG command and control servers, as well as an increased sense of operational security, which can be attributed to the use of cloud-based reverse proxy infrastructure to hide the real locations where their C2 servers are hosted," says the report. 

According to the researchers, when they analyzed both the C2 configuration and the LuaDream and Keyplug malware strains, the overlaps were overwhelming, which can be interpreted as suggesting that their operators were seeking similar functional requirements. To grow, and effectively collaborate between the increasing number of Chinese APT groups, the report concluded, cyber security community members must share similar knowledge. 

There is a great deal of certainty that the constituent threat actors will continue to cooperate and coordinate, exploring new ways to enhance the functionality, flexibility, and stealthiness of their malware to further enhance the threat actors' threat. 

An influential example of how this can be applied is the adoption by developers of the Lua development paradigm. Overcoming the threat landscape requires a constant flow of information sharing between members of the threat intelligence research community. 

A few instances of espionage-motivated APTs historically considered Western or Western-aligned have been associated with Lua-based modular backdoors, such as LuaDream. This has proven to be a very rare occurrence and is often associated with APTs that are espionage-motivated. In our research on Sandman, we found that a broader set of cyberespionage threat actors are utilizing the Lua development paradigm because of its modularity, portability, and simplicity.