{
	"id": "e1fcd062-0521-400c-9a7f-9fe799c74e66",
	"created_at": "2026-04-06T00:07:51.72794Z",
	"updated_at": "2026-04-10T03:25:24.058682Z",
	"deleted_at": null,
	"sha1_hash": "284a2dc2aeaf7bae1d96c52ced85bbf5147070f2",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 46413,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 23:48:58 UTC\n APT group: Sandman\nNames Sandman (SentinelLabs)\nCountry China\nMotivation Information theft and espionage\nFirst seen 2022\nDescription\n(SentinelLabs) In collaboration with QGroup GmbH, SentinelLabs observed over August 2023\na threat activity cluster targeting the telecommunication sector. The activities have been\nconducted by a threat actor of unknown origin using a novel modular backdoor based on the\nLuaJIT platform. We dub this threat actor and the backdoor Sandman and LuaDream in\nreference to what we suspect to be the backdoor’s internal name – DreamLand client.\nThe activities we observed are characterized by strategic lateral movement to specific targeted\nworkstations and minimal engagement, suggesting a deliberate approach aimed at achieving\nthe set objectives while minimizing the risk of detection.\nObserved\nSectors: Telecommunications.\nCountries: Middle East, Western Europe, and South Asia.\nTools used LuaDream.\nInformation\nLast change to this card: 16 January 2024\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=6e7a3b00-6ff8-414a-b6b3-040ddcfd4e8c\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=6e7a3b00-6ff8-414a-b6b3-040ddcfd4e8c\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=6e7a3b00-6ff8-414a-b6b3-040ddcfd4e8c"
	],
	"report_names": [
		"showcard.cgi?u=6e7a3b00-6ff8-414a-b6b3-040ddcfd4e8c"
	],
	"threat_actors": [
		{
			"id": "03e8b0b5-c7fb-424a-a67b-f40c3ba3f51c",
			"created_at": "2023-10-14T02:03:14.454929Z",
			"updated_at": "2026-04-10T02:00:04.882917Z",
			"deleted_at": null,
			"main_name": "Sandman",
			"aliases": [],
			"source_name": "ETDA:Sandman",
			"tools": [
				"DreamLand",
				"LuaDream"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434071,
	"ts_updated_at": 1775791524,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/284a2dc2aeaf7bae1d96c52ced85bbf5147070f2.pdf",
		"text": "https://archive.orkl.eu/284a2dc2aeaf7bae1d96c52ced85bbf5147070f2.txt",
		"img": "https://archive.orkl.eu/284a2dc2aeaf7bae1d96c52ced85bbf5147070f2.jpg"
	}
}