{ "id": "9c69110a-730a-4333-bba8-3a5453963ec9", "created_at": "2026-04-06T00:09:07.787005Z", "updated_at": "2026-04-10T13:12:44.320665Z", "deleted_at": null, "sha1_hash": "9a538758dacf99fe2d195aec9177121a47878920", "title": "Sandman APT | A Mystery Group Targeting Telcos with a LuaJIT Toolkit", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3221046, "plain_text": "Sandman APT | A Mystery Group Targeting Telcos with a LuaJIT\r\nToolkit\r\nBy Aleksandar Milenkoski\r\nPublished: 2023-09-21 · Archived: 2026-04-05 14:52:53 UTC\r\nBy Aleksandar Milenkoski, in collaboration with QGroup\r\nExecutive Summary\r\nSentinelLABS has observed a new threat activity cluster by an unknown threat actor we have dubbed\r\nSandman.\r\nSandman has been primarily targeting telecommunication providers in the Middle East, Western Europe,\r\nand the South Asian subcontinent.\r\nThe activities are characterized by strategic lateral movements and minimal engagements, likely to\r\nminimize the risk of detection.\r\nSandman has deployed a novel modular backdoor utilizing the LuaJIT platform, a relatively rare\r\noccurrence in the threat landscape. We refer to this malware as LuaDream.\r\nThe implementation of LuaDream indicates a well-executed, maintained, and actively developed project of\r\na considerable scale.\r\nAt this time, we don’t have a consistent sense of attribution. LuaDream does not appear to be related to any\r\nknown threat actors. While the development style is historically associated with a specific type of advanced\r\nthreat actor, inconsistencies between the high-end development of the malware and poor segmentation\r\npractices lead us towards the possibility of a private contractor or mercenary group similar to Metador.\r\nOverview\r\nIn collaboration with QGroup GmbH, SentinelLABS observed over August 2023 a threat activity cluster targeting\r\nthe telecommunication sector. The activities have been conducted by a threat actor of unknown origin using a\r\nnovel modular backdoor based on the LuaJIT platform. We dub this threat actor and the backdoor Sandman and\r\nLuaDream in reference to what we suspect to be the backdoor’s internal name – DreamLand client.\r\nThe activities we observed are characterized by strategic lateral movement to specific targeted workstations and\r\nminimal engagement, suggesting a deliberate approach aimed at achieving the set objectives while minimizing the\r\nrisk of detection.\r\nThe implementation and architecture of LuaDream suggest a maintained, versioned project under active\r\ndevelopment. This is a modular, multi-protocol backdoor whose main functionalities are:\r\nexfiltrating system and user information, paving the way for further precision attacks;\r\nmanaging attacker-provided plugins that extend LuaDream’s features.\r\nhttps://www.sentinelone.com/labs/sandman-apt-a-mystery-group-targeting-telcos-with-a-luajit-toolkit/\r\nPage 1 of 12\n\nAlthough the intrusions were detected and interrupted before the threat actor could deploy plugins, our analysis of\r\nLuaDream staging samples shared on VirusTotal provided a glimpse into what functionalities the plugins may\r\nimplement, with command execution capabilities being one example.\r\nThe 36 distinct LuaDream components we identified and the support for multiple protocols for C2 communication\r\nindicate a project of a considerable scale. The LuaDream staging chain is designed to evade detection and thwart\r\nanalysis while deploying the malware directly into memory. LuaDream’s implementation and staging process\r\nleverage the LuaJIT platform, the just-in-time compiler for the Lua scripting language. This is primarily to make\r\nmalicious Lua script code difficult to detect.\r\nA Penchant for Telcos\r\nBased on current visibility, accurate clustering remains a challenge. The focussed, strategy-driven activities, and\r\nthe use of complex malware designed to evade detection point to a motivated and capable adversary. The TTPs,\r\nvictimology, and the characteristics of the deployed malware indicate that it is highly likely this activity has\r\nespionage motivations. Communication providers are frequent targets of espionage activity due to the sensitive\r\ndata they hold.\r\nThe activity cluster we observed and examination of C2 netflow data indicate a pronounced focus on targeting\r\ntelecommunications providers with a broad geographical distribution, including the Middle East, Western Europe,\r\nand the South Asian subcontinent.\r\nGeographical distribution of victims\r\nCompilation timestamps and a string artifact found within LuaDream hint at potential malware development\r\nefforts over the first half of 2022, suggesting possible threat actor activity dating back to 2022.\r\nhttps://www.sentinelone.com/labs/sandman-apt-a-mystery-group-targeting-telcos-with-a-luajit-toolkit/\r\nPage 2 of 12\n\nWhile we cannot associate LuaDream to any known threat actor, we lean towards the possibility of a private\r\ncontractor or mercenary group. Typically used as a scripting middleware in gaming and specialty embedded\r\napplications and appliances, the use of LuaJIT in the context of APT malware is relatively rare but the population\r\nusing it is becoming broader.\r\nEmbedded Lua VMs serve as a mechanism for modularity and extensibility for advanced APTs, historically\r\nconsidered Western or Western-aligned. However, this development paradigm is being embraced by a broader set\r\nof threat actors that also target Western countries and deserves further scrutiny as exemplified by the Sandman\r\nAPT. Our talk at LABScon 2023 described this paradigm of development overtime, bookended by our discovery\r\nof Sandman APT as the latest, along with Fast16 as the earliest example dating back to 2005.\r\nIn March 2023, new malware was briefly described by Kaspersky during a quarterly roundup actively targeting a\r\ngovernment entity in Pakistan. Based on the sparsely described characteristics, we assess that they’re referring to a\r\nvariant of LuaDream –dubbed DreamLand. Note the following string in the LuaDream samples we identified:\r\nC:\\\\project\\\\tenyears\\\\DreamLandClient\\\\Project\\\\cpp\\\\HttpClientLj\\\\testdll.dll\r\nThreat Actor Activities\r\nThe activities we observed took place over several weeks in August 2023. After stealing administrative credentials\r\nand conducting reconnaissance, Sandman infiltrated specifically targeted workstations using the pass-the-hash\r\ntechnique over the NTLM authentication protocol. On one of the targets, all of the workstations were assigned to\r\npersonnel in managerial positions.\r\nOn average, we observed a five-day gap between infiltrations into different endpoints. After gaining access,\r\nSandman limited its activities to deploying folders and files required for loading and executing LuaDream,\r\nrefraining from any further actions. We observerd the following deployed filesystem artifacts:\r\nC:\\Windows\\System32\\ualapi.dll\r\nC:\\ProgramData\\FaxConfig\\fax.dat\r\nC:\\ProgramData\\FaxConfig\\fax.cache\r\nC:\\ProgramData\\FaxConfig\\fax.module\r\nC:\\ProgramData\\FaxConfig\\fax.Application\r\nC:\\ProgramData\\FaxLib\\\r\nSandman abused the DLL hijacking technique to execute LuaDream. The ualapi.dll file they placed is a\r\nmalicious DLL masquerading as its legitimate counterpart (a User Access Logging (UAL) component) and\r\nrepresents the first stage of the intricate LuaDream loading process. The ualapi.dll library is loaded by the\r\nFax and the Spooler Windows service when started. We observed the Spooler service loading the malicious\r\nualapi.dll on the targeted workstations, executing LuaDream in its context.\r\nIt is relevant to note that we did not observe the threat actor restarting the Fax and or Spooler service to force\r\nthe execution of LuaDream, likely to evade detection based on service manipulation. Instead, they were patient in\r\nwaiting for one of these services to load the malicious ualapi.dll when started at the next system boot.\r\nhttps://www.sentinelone.com/labs/sandman-apt-a-mystery-group-targeting-telcos-with-a-luajit-toolkit/\r\nPage 3 of 12\n\nLuaDream | Staging\r\nThe LuaDream staging process is intricate and designed with a focus on evading detection and thwarting analysis.\r\nInitiated by the Fax or the Spooler service, which would execute the UalStart export of the malicious\r\nualapi.dll when started, the overall process consists of seven main stages. These are conducted fully in\r\nmemory and involve a combination of fully-formed DLL PE images, code, and LuaJIT bytecode.\r\nThe following table shows DLL images involved in LuaDream staging:\r\nName Compilation timestamp Exports\r\nualapi.dll Wed Aug 09 18:24:18 2023 UalInstrument, UalStart, UalStop\r\nMemoryLoadPex64.dll Wed Mar 22 23:55:07 2023 ProtectMain\r\ncommon.dll Wed Aug 09 18:21:18 2023 jsadebugd\r\nAlthough the DLL timestamps could have been manipulated by the threat actor, given the proximity to the August\r\n2023 intrusion date, it is likely that the timestamps are authentic. Due to the difference of only a few days between\r\nthe timestamps of ualapi.dll and common.dll , and their actual deployment dates, it is possible that these\r\nimages have been built specifically for this intrusion.\r\nSome of the implemented anti-analysis measures include hiding LuaDream’s threads from a debugger using the\r\nNtSetInformationThread function, file close operation on an invalid handle ( 0x123456 ), detection of Wine-based sandboxes, and in-memory mapping of malicious PE images to evade EDR API hooks and file-based\r\ndetections.\r\nhttps://www.sentinelone.com/labs/sandman-apt-a-mystery-group-targeting-telcos-with-a-luajit-toolkit/\r\nPage 4 of 12\n\nLuaDream staging\r\nNext-stage code is typically packed using a combination of XOR-based encryption and compression. The\r\nfax.dat , fax.Application , and fax.module files store packed staging code. The code unpacked from\r\nfax.Application contains a LuaJIT engine enabling the execution of the LuaJIT components internally referred\r\nto as interface and crt as well as LuaDream itself.\r\ninterface unpacks crt from fax.module , which in turn retrieves XML-formatted configuration and the\r\ncontents of the fax.cache file – an encrypted and compressed Lua function, which returns the reference names\r\nand implementations of LuaDream components in Base-64 encoded form.\r\nhttps://www.sentinelone.com/labs/sandman-apt-a-mystery-group-targeting-telcos-with-a-luajit-toolkit/\r\nPage 5 of 12\n\nfax.cache (unpacked form)\r\nThe LuaDream configuration includes C2 and communication protocol information. The LuaDream variant we\r\nanalyzed is configured to communicate with the mode.encagil[.]com domain over the WebSocket protocol.\r\nConfiguration data\r\nLuaDream | Overview\r\nLuaDream is a multi-component and multi-protocol backdoor, whose main features are managing attacker-provided plugins and exfiltrating system and user information. The implementation and architecture of LuaDream\r\nindicates that it is a maintained, actively developed project of a considerable scale.\r\nThroughout our analysis, we observed what is likely a malware version string ( 12.0.2.5.23.29 ), which the\r\nbackdoor sends to the C2 server when exfiltrating information. Many LuaDream function and variable definitions\r\nfollow a naming convention involving the word fun , such as dofun ,  _RUN_FUN_LIST_ , and\r\nFunGetDataCache .\r\nhttps://www.sentinelone.com/labs/sandman-apt-a-mystery-group-targeting-telcos-with-a-luajit-toolkit/\r\nPage 6 of 12\n\nLuaDream implements testing functions as well as error and execution status logging, which indicates that the\r\nmalware is likely still in active development. A string artifact in a function labeled com_TestJson suggests\r\npotential development in June 2022.\r\nTesting functions (decompiled LuaJIT bytecode)\r\nWe observed the embedded private IP address 10.2.101[.]99 to which LuaDream binds the communication port\r\n4443 , if so configured. This address does not belong to the IP address spaces of the targeted environments. The\r\nIP address may be a leftover from an in-development LuaDream variant or from a previous Sandman engagement.\r\nLuaDream | Components And Features\r\nThe LuaDream variant we obtained from the targeted environments consists of 34 components: 13 core and 21\r\nsupport components. They are implemented in LuaJIT bytecode and use the Windows API through the ffi library\r\nusing C language bindings.\r\nThe support components implement Lua libraries as well as Windows API definitions required for LuaDream’s\r\noperation, such as xml2lua, Windows Sockets, and NtSec API.\r\nhttps://www.sentinelone.com/labs/sandman-apt-a-mystery-group-targeting-telcos-with-a-luajit-toolkit/\r\nPage 7 of 12\n\nThe core components implement LuaDream features, such as initialization, gathering system and user\r\ninformation, C2 communication, and plugin management. As per the component definitions from the fax.cache\r\nfile, the core LuaDream components are structured into two categories: .com and .main .\r\nLuaDream core components\r\nWith the main component initializing LuaDream, the backdoor connects to the configured C2 server and\r\nexfiltrates system, user, and malware-related information gathered by BGetSystemMsg . This information includes\r\nthe malware version, assigned IP and MAC addresses, OS version, available memory, and the name, PID, and\r\nusername associated with the process in whose context LuaDream runs.\r\nExfiltrated information\r\nLuaDream has the capability to reach out to C2 servers but also to act as an implant listening for incoming\r\nconnections. The backdoor can communicate over the TCP, HTTPS, WebSocket, and QUIC protocols. The\r\nhttps://www.sentinelone.com/labs/sandman-apt-a-mystery-group-targeting-telcos-with-a-luajit-toolkit/\r\nPage 8 of 12\n\nmain_proto_X_TcpClient , main_proto_WinHttpClient , main_proto_X_WebSocketClient , and\r\nmain_proto_X_QuicClient components implement support for these protocols, with main_z_protoInterface\r\nacting as their main handler.\r\nProtocol handling (decompiled LuaJIT bytecode)\r\nThe main_proto_A_QueryDns component resolves domains to IP addresses using the cloudflare-dns[.]com\r\nservice, which main_proto_X_WebSocketClient uses for resolving C2 domain names.\r\nmain_proto_X_QuicClient draws functionalities from a DLL image which LuaDream maps fully in memory, a\r\nfunctionality implemented by the Acom_LoadDLL component.\r\nLuaDream communicates with a C2 server using the thread_connect , thread_send , and thread_recv\r\ncomponents, which are responsible for connecting to, sending data to, and receiving data from the C2 server,\r\nrespectively. These components operate in separate threads. The exchanged data is in JSON and XML format, in\r\nan encrypted and compressed form. The Acom_define component provides functionalities for inter-thread\r\ncommunication and data manipulation.\r\nThe thread_recv component handles incoming messages and its main purpose is to manage attacker-provided\r\nplugins that extend LuaDream. Some functionalities of this component include:\r\ntaking LuaDream offline (command offline );\r\nloading, executing (command loadplugin ), unloading (command unloadplugin ), and saving plugins\r\n(command saveplugin );\r\nexecuting an attacker-specified plugin functionality.\r\nLuaDream maintains a key-based list of plugin information, which includes the handle and the ID of the thread in\r\nwhich the plugin runs, and a plugin-identifying key. Loading of a plugin involves inserting a new entry in this list\r\nand executing plugin code in a designated thread. For communicating with plugins, LuaDream leverages inter-thread communication, using the message 1234 for executing plugin functionalities.\r\nhttps://www.sentinelone.com/labs/sandman-apt-a-mystery-group-targeting-telcos-with-a-luajit-toolkit/\r\nPage 9 of 12\n\nLuaDream plugin list (from decompiled LuaJIT bytecode)\r\nOur analysis of LuaDream staging samples shared on VirusTotal revealed the existence of two additional\r\ncomponents named main_proto_WinHttpServer and thread_test . main_proto_WinHttpServer implements a\r\nLuaDream capability to listen for incoming connections based on the Windows HTTP server API. thread_test\r\nimplements functions for testing the loadplugin and saveplugin commands. These functions indicate the\r\nexistence of a plugin named cmd , whose name suggests command execution capabilities.\r\ncmd plugin references\r\nNetwork Infrastructure\r\nThe LuaDream samples we analyzed communicate with the C2 servers ssl.explorecell[.]com and\r\nmode.encagil[.]com . ssl.explorecell[.]com is a Tucows-registered domain with a first-seen resolution date\r\nof March 2023. This domain last resolved to 185.82.218[.]230 , an IP address of a server hosted in Bulgaria by\r\nthe ITLDC hosting provider.\r\nhttps://www.sentinelone.com/labs/sandman-apt-a-mystery-group-targeting-telcos-with-a-luajit-toolkit/\r\nPage 10 of 12\n\nmode.encagil[.]com is an Arsys-registered domain with a first-seen resolution date of August 2023. The domain\r\nlast resolved to 172.67.173[.]208 and 104.21.47[.]226 , IP addresses of a server hosted behind a major load\r\nbalancing platform. The shift from using a directly exposed C2 server IP address to addresses of a load balancing\r\ninfrastructure marks a change in Sandman’s infrastructure management practices – likely to avoid exposing the\r\ntrue hosting location.\r\nExamination of C2 netflow data revealed lack of comprehensive C2 infrastructure segmentation, with several\r\nLuaDream deployments at geographically dispersed victim environments communicating with the same C2 server.\r\nConclusions\r\nAttributing Sandman remains a mystery, placing it in the same enigmatic category as Metador and other elusive\r\nthreat actors who operate with impunity. LuaDream stands as a compelling illustration of the continuous\r\ninnovation and advancement efforts that cyber espionage threat actors pour into their ever-evolving malware\r\narsenal.\r\nNavigating the shadows of the threat landscape necessitates consistent cooperation and information sharing within\r\nthe threat intelligence research community. SentinelLABS remains dedicated to this mission and hopes that this\r\npublication will serve as a catalyst for further collaborative efforts. We are grateful for the contributions of Luca\r\nPalermo from the SentinelOne EMEA IR TAM team, who assisted with the initial investigations and remediation\r\nof the threat.\r\nIndicators of Compromise\r\nSHA1 File name\r\n1cd0a3dd6354a3d4a29226f5580f8a51ec3837d4 fax.dat\r\n27894955aaf082a606337ebe29d263263be52154 fax.Application\r\n5302c39764922f17e4bc14f589fa45408f8a5089 ualapi.dll\r\n77e00e3067f23df10196412f231e80cec41c5253 fax.cache\r\nb9ea189e2420a29978e4dc73d8d2fd801f6a0db2 UpdateCheck.dll\r\nfb1c6a23e8e0693194a365619b388b09155c2183 updater.ver\r\nff2802cdbc40d2ef3585357b7e6947d42b875884 fax.module\r\nLuaDream Folder File paths\r\n%ProgramData%\\FaxConfig\r\n%ProgramData%\\FaxLib\r\nC2 Server Domains\r\nmode.encagil[.]com\r\nssl.explorecell[.]com\r\nhttps://www.sentinelone.com/labs/sandman-apt-a-mystery-group-targeting-telcos-with-a-luajit-toolkit/\r\nPage 11 of 12\n\nSource: https://www.sentinelone.com/labs/sandman-apt-a-mystery-group-targeting-telcos-with-a-luajit-toolkit/\r\nhttps://www.sentinelone.com/labs/sandman-apt-a-mystery-group-targeting-telcos-with-a-luajit-toolkit/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.sentinelone.com/labs/sandman-apt-a-mystery-group-targeting-telcos-with-a-luajit-toolkit/" ], "report_names": [ "sandman-apt-a-mystery-group-targeting-telcos-with-a-luajit-toolkit" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "03e8b0b5-c7fb-424a-a67b-f40c3ba3f51c", "created_at": "2023-10-14T02:03:14.454929Z", "updated_at": "2026-04-10T02:00:04.882917Z", "deleted_at": null, "main_name": "Sandman", "aliases": [], "source_name": "ETDA:Sandman", "tools": [ "DreamLand", "LuaDream" ], "source_id": "ETDA", "reports": null }, { "id": "6fde2d10-cf90-4eae-a249-838a36f76075", "created_at": "2023-12-19T02:00:06.26466Z", "updated_at": "2026-04-10T02:00:03.498264Z", "deleted_at": null, "main_name": "Sandman APT", "aliases": [], "source_name": "MISPGALAXY:Sandman APT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba626326-d049-472c-ba57-b64943d96dc2", "created_at": "2023-11-05T02:00:08.075744Z", "updated_at": "2026-04-10T02:00:03.398399Z", "deleted_at": null, "main_name": "Metador", "aliases": [], "source_name": "MISPGALAXY:Metador", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "afa52232-4252-4c67-ac65-6e60eb113fde", "created_at": "2023-04-26T02:03:03.138144Z", "updated_at": "2026-04-10T02:00:05.366656Z", "deleted_at": null, "main_name": "Metador", "aliases": [ "Metador" ], "source_name": "MITRE:Metador", "tools": [ "metaMain", "Mafalda" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434147, "ts_updated_at": 1775826764, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9a538758dacf99fe2d195aec9177121a47878920.pdf", "text": "https://archive.orkl.eu/9a538758dacf99fe2d195aec9177121a47878920.txt", "img": "https://archive.orkl.eu/9a538758dacf99fe2d195aec9177121a47878920.jpg" } }