{ "id": "acd5ede8-4b0d-4c05-8427-0b4e00657755", "created_at": "2026-04-06T00:08:59.251594Z", "updated_at": "2026-04-10T03:27:36.748067Z", "deleted_at": null, "sha1_hash": "70343710d36c5141b56150dc562a1d1138c0ba9b", "title": "???????????? More on DreamLand", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 70016, "plain_text": "More on DreamLand\r\nPublished: 2023-09-22 · Archived: 2026-04-05 17:51:23 UTC\r\nIn April, Kaspersky briefly described a new malware dubbed DreamLand in their APT trends report Q1 2023. Quote:\r\nIn March, we discovered a new malware strain actively targeting a government entity in Pakistan. We designated\r\nthis malware “DreamLand”. The malware is modular and utilizes the Lua scripting language in conjunction with\r\nits Just-in-Time (JIT) compiler to execute malicious code that is difficult to detect. It also features various anti-debugging capabilities and employs Windows APIs through Lua FFI, which utilizes C language bindings to carry\r\nout its activities. This is the first time we have seen Lua used by an APT threat actor since its use by AnimalFarm\r\nand Project Sauron.\r\nThe same malware is being used in more attacks, as described in a blog post published by SentinelOne yesterday: Sandman\r\nAPT\r\nThe post details an incident happened in August 2023 and gives additional information about two samples submitted to\r\nVirustotal. This blog post gives additional information on the samples uploaded to Virustotal.\r\nDreamLand - A brief analysis\r\nFile hash (SHA-256) File name Description\r\nceaec139a9370a4cd4eca876e7c4b3d51a013d3739b3f4d526fdfeab27cd2fc2 libcurl.dll Loader for UpdateCheck.dll\r\n0b962ad02e8eef3c717ce6fcfda9587f92ebe9e7ed6ee93be6bc1103daa4e8bf UpdateCheck.dll\r\nLoader for the main embedde\r\nLuaJIT orchestrator\r\n9bb5e7a76e66d105fa5a65728517b8d8f9465525465f92eb68a89705476b1d26 updater.ver\r\nContains\r\nencrypted/compressed/encod\r\ncompiled LuaJIT scripts\r\nThe loading chain of the avilable samples is as follows: libcurl.dll -\u003e UpdateCheck.dll -\u003e updater.ver\r\nThe initial file named libcurl.dll is an unconventional loader for the file UpdateCheck.dll . It dynamically resolves the\r\nAPI functions GetConsoleWindow and ShowWindow and calls the latter with the parameter SW_HIDE to hide its console\r\nwindow. Next, it patches the entry point of the process it was being loaded into, to call its exported function\r\ncurl_easy_cleanup .\r\nPatched entry point of own process:\r\nsub rsp,28\r\nmov rax, \u003clibcurl.curl_easy_cleanup\u003e\r\ncall rax\r\nThe exported function curl_easy_cleanup is an infinite loop:\r\n__int64 curl_easy_cleanup()\r\n{\r\n DWORD TickCount;\r\n DWORD v1;\r\nhttps://r136a1.dev/2023/09/22/more-on-dreamland/\r\nPage 1 of 3\n\ndo\n {\n TickCount = GetTickCount();\n Sleep(TickCount % 0x43955);\n v1 = GetTickCount();\n Sleep(v1 % 0x433);\n Sleep(0x3005u);\n }\n while ( GetCurrentProcessId() \u003e 4 );\n return 0i64;\n}\nAs we don’t know the initial process that loads libcurl.dll , it’s inclear what the purpose of this patch is. It might be made\nin order to keep the process running infinitely. At last, it loads the second stage DLL UpdatCheck.dll and resolves its\nexported function curl_get_build_version . Before calling curl_get_build_version to execute UpdatCheck.dll , it\ntries to dynamically resolve the API functions AzApplicationOpen (azroles.dll) and DllEnumClassObjects (mshtml.dll)\nsubsequently to call them instead of curl_get_build_version if they exist in the process. That was probably done to stop\nthe malware from running on certain systems or when a specific security software is present.\nWhen curl_get_build_version in UpdatCheck.dll is executed, it first decompresses and decrypts an embedded payload\nthat is internally named HttpClientLJ.dll . This payload is the main orchestrator and contains the LuaJIT interpreter for\nthe compiled scripts contained in updater.ver . It seems to be based on an open-source project called TINN. After a\nmemory module was created out of the raw payload, its entry point (DllMain) is called to run the normal and Lua\ninitialization routines. Afterwards its exported function GetObjectInterface is called that in turn loads the first compiled\nLuaJIT script. This script is a loader that decodes, decompresses, decrypts and runs the main module and configuration data\nwhich is as follows:\n45/index/ssl.explorecell.com15443 The main module contains the remaining compiled LuaJIT scripts that were given the following names:\nAcom_define\nBGetSystemMsg\nmain\nmain_proto_WinHttpClient\nmain_proto_WinHttpServer\nmain_z_protoInterface\nthread_connect\nthread_recv\nthread_send\nthread_test\nhttps://r136a1.dev/2023/09/22/more-on-dreamland/\nPage 2 of 3\n\nYou can find all decompiled scripts in the Download section. As none of the current open-source Lua decompilers was able\r\nto successfully decompile the LuaJIT scripts, I’ve used an online service named Lua Decompiler.\r\nFile hash (SHA-256) File name Description\r\n772293288ddc6c41dbe003e352b22a2c560a56023bc78c87bfef806482f1bf22 Comx64.dll Loader for shellcode\r\nThere was a sample submitted to Virustotal whose list of exported functions look very similar to UpdateControl.dll , it’s\r\nlikely from the same developer.\r\nIt decrypts the following file path whose content it tries to read, decrypt and execute:\r\nC:\\ProgramData\\Package Cache\\{Ff964C81-895B-4433-A23F-42F30B600D93}.v102.sys\\sys.dat\r\nUnfortunately, we don’t have the shellcode, thus this is where the analysis already comes to an end.\r\nConclusion\r\nThe use of (compiled) LuaJIT scripts rather than the more common Lua scripts used in malware in the past makes\r\nDreamLand an interesting piece of software. SentinelOne’s investigation also concludes that it appears to be a work in\r\nprogress, thus we will likely see more incidents where this malware will be utilized.\r\nIOCs\r\nSamples (SHA-256)\r\nceaec139a9370a4cd4eca876e7c4b3d51a013d3739b3f4d526fdfeab27cd2fc2\r\n0b962ad02e8eef3c717ce6fcfda9587f92ebe9e7ed6ee93be6bc1103daa4e8bf\r\n9bb5e7a76e66d105fa5a65728517b8d8f9465525465f92eb68a89705476b1d26\r\n772293288ddc6c41dbe003e352b22a2c560a56023bc78c87bfef806482f1bf22\r\nC2 domain\r\nssl[.]explorecell[.]com\r\nDownload\r\nSamples and compiled/decompiled LuaJIT scripts (pw: “dreamland_infected”): DreamLand.zip\r\nSource: https://r136a1.dev/2023/09/22/more-on-dreamland/\r\nhttps://r136a1.dev/2023/09/22/more-on-dreamland/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://r136a1.dev/2023/09/22/more-on-dreamland/" ], "report_names": [ "more-on-dreamland" ], "threat_actors": [ { "id": "c1ac2a5e-0225-47a4-8ac5-5fa898c96bde", "created_at": "2023-01-06T13:46:38.472883Z", "updated_at": "2026-04-10T02:00:02.989134Z", "deleted_at": null, "main_name": "ProjectSauron", "aliases": [ "Sauron", "Project Sauron", "G0041" ], "source_name": "MISPGALAXY:ProjectSauron", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "03e8b0b5-c7fb-424a-a67b-f40c3ba3f51c", "created_at": "2023-10-14T02:03:14.454929Z", "updated_at": "2026-04-10T02:00:04.882917Z", "deleted_at": null, "main_name": "Sandman", "aliases": [], "source_name": "ETDA:Sandman", "tools": [ "DreamLand", "LuaDream" ], "source_id": "ETDA", "reports": null }, { "id": "6fde2d10-cf90-4eae-a249-838a36f76075", "created_at": "2023-12-19T02:00:06.26466Z", "updated_at": "2026-04-10T02:00:03.498264Z", "deleted_at": null, "main_name": "Sandman APT", "aliases": [], "source_name": "MISPGALAXY:Sandman APT", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434139, "ts_updated_at": 1775791656, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/70343710d36c5141b56150dc562a1d1138c0ba9b.pdf", "text": "https://archive.orkl.eu/70343710d36c5141b56150dc562a1d1138c0ba9b.txt", "img": "https://archive.orkl.eu/70343710d36c5141b56150dc562a1d1138c0ba9b.jpg" } }