{ "id": "84b67f56-5825-4937-9999-2aa69634c645", "created_at": "2026-04-06T00:14:13.942031Z", "updated_at": "2026-04-10T13:12:57.418642Z", "deleted_at": null, "sha1_hash": "a22e30a1698902de3fb737da5de1cbe890b23fa7", "title": "Sandman APT | China-Based Adversaries Embrace Lua", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1808203, "plain_text": "Sandman APT | China-Based Adversaries Embrace Lua\r\nBy Aleksandar Milenkoski\r\nPublished: 2023-12-11 · Archived: 2026-04-05 16:12:46 UTC\r\nBy Aleksandar Milenkoski, Bendik Hagen (PwC), and Microsoft Threat Intelligence\r\nExecutive Summary\r\nThe Sandman APT is likely associated with suspected China-based threat clusters known to use the\r\nKEYPLUG backdoor, in particular a cluster jointly presented by PwC and Microsoft at Labscon 2023 –\r\nSTORM-0866/Red Dev 40.\r\nThe Sandman’s Lua-based malware LuaDream and the KEYPLUG backdoor were observed co-existing in\r\nthe same victim environments.\r\nSandman and STORM-0866/Red Dev 40 share infrastructure control and management practices, including\r\nhosting provider selections, and domain naming conventions.\r\nThe implementation of LuaDream and KEYPLUG reveals indicators of shared development practices and\r\noverlaps in functionalities and design, suggesting shared functional requirements by their operators.\r\nThe use of the Lua development paradigm in the cyberespionage domain, historically associated with\r\nactors considered Western or Western-aligned, is likely being adopted by a broader range of adversaries,\r\nincluding those with ties to China.\r\nOverview\r\nIn this report, SentinelLABS, Microsoft, and PwC threat intelligence researchers provide attribution-relevant\r\ninformation on the Sandman APT cluster positioning this threat on the broader threat landscape. We highlight\r\nlinks between Sandman and a suspected China-based threat actor using the shared KEYPLUG backdoor –\r\nSTORM-0866/Red Dev 40. This includes victimology overlaps, cohabitation, and sharing C2 infrastructure\r\ncontrol and management practices.\r\nSTORM-0866/Red Dev 40 is a developing APT threat cluster primarily targeting entities in the Middle East and\r\nthe South Asian subcontinent, including telecommunication providers and government entities. These are regions\r\nand sectors where we also observed Sandman activity. The modular backdoor KEYPLUG is a staple in STORM-0866/Red Dev 40’s arsenal. Mandiant first reported on KEYPLUG as part of intrusions into U.S. government\r\nentities by the Chinese APT group APT41.\r\nMicrosoft and PwC have subsequently identified at least three other developing clusters involving KEYPLUG,\r\nincluding STORM-0866/Red Dev 40. Their research, making the case that KEYPLUG is likely shared among\r\nmultiple suspected China-based groups, was presented at LabsCon 2023. They distinguish STORM-0866/Red Dev\r\n40 from the other clusters based on specific malware characteristics, such as unique encryption keys for\r\nKEYPLUG C2 communication, and a higher sense of operational security, such as relying on Cloud-based reverse\r\nproxy infrastructure for hiding the true hosting locations of their C2 servers.\r\nhttps://www.sentinelone.com/labs/sandman-apt-china-based-adversaries-embrace-lua/\r\nPage 1 of 10\n\nSentinelLABS and Microsoft have observed Sandman’s LuaDream and KEYPLUG implants cohabiting in the\r\nsame victim environments, some of which are on the same endpoints. LuaDream is a maintained modular\r\nbackdoor based on LuaJIT, with version 11.0.2.1.23.1 observed in March 2023 and version 12.0.2.5.23.29\r\nobserved in August 2023. In one instance, the KEYPLUG malware had been deployed approximately 3 months\r\nprior to LuaDream (in May 2023). LuaDream and KEYPLUG were active at the same time over approximately 2\r\nweeks until both threats were remediated. During this time period, we did not observe any contestation or\r\ndeconfliction activities by the LuaDream or KEYPLUG operators.\r\nA close examination of the implementation and C2 infrastructure of these distinct malware strains revealed\r\nindicators of shared development as well as infrastructure control and management practices, and some overlaps\r\nin functionalities and design, suggesting shared functional requirements by their operators.\r\nThe findings we present are yet another showcase of the complex nature of the China-based threat landscape. As\r\nexemplified by Sandman and STORM-0866/Red Dev 40, this landscape is marked by substantial cooperation and\r\ncoordination among its constituent threat groups, along with the possibility of third-party vendors supplying the\r\noperational teams with tooling. This makes accurate clustering challenging. Therefore, while acknowledging the\r\nassociation of Sandman with the suspected China-based adversaries using KEYPLUG, we continue to track\r\nSandman as a distinct cluster until further conclusive information suggesting otherwise becomes available.\r\nLua-based modular backdoors, such as LuaDream, have been observed relatively rarely and often in the context of\r\nespionage-motivated APTs historically considered Western or Western-aligned. Our findings on Sandman indicate\r\nthat the Lua development paradigm is being adopted by a broader set of cyberespionage threat actors for the\r\nmodularity, portability, and simplicity that the Lua scripting language offers.\r\nSandman and STORM-0866/Red Dev 40 Infrastructure\r\nThe SSL certificate assigned to the LuaDream C2 domain ssl.explorecell[.]com has also been used on the\r\nservers with IPs of 185.51.134[.]27 (between March and April 2023) and 45.80.148[.]151 (in March 2023).\r\n185.51.134[.]27 is allocated to the Estonian VPS service provider EstNOC and 45.80.148[.]151 to the\r\nRomanian provider HOSTGW SRL. ssl.explorecell[.]com last resolved to 185.82.218[.]230 , an IP address\r\nof a server hosted in Bulgaria by the ITLDC hosting provider.\r\nThumbprint: fc8fdf58cd945619cbfede40ba06aada10de9459\r\nSerial number: 364670096077097330220756280372394037039639\r\nCommon Name: ssl.explorecell[.]com\r\nApproximately 4 months later (in August 2023), the server at 185.51.134[.]27 used an SSL certificate issued for\r\nthe domain dan.det-ploshadka[.]com . This domain last resolved to 79.110.52[.]160, a server hosted by the\r\nRomanian service provider M247.\r\nThumbprint: a7932112b7880c95d77bc36c6fcced977f4a5889\r\nSerial number: 365025056055127017786055050446086862849019\r\nCommon Name: dan.det-ploshadka[.]com\r\nhttps://www.sentinelone.com/labs/sandman-apt-china-based-adversaries-embrace-lua/\r\nPage 2 of 10\n\nMicrosoft and PwC have observed dan.det-ploshadka[.]com being used as a KEYPLUG C2 server and attribute\r\nthe domain with high confidence to STORM-0866/Red Dev 40. This assessment is primarily based on the use of\r\nRC4 keys for encrypting C2 data that are unique to STORM-0866/Red Dev 40 as well as used known STORM-0866/Red Dev 40 malware in the intrusions.\r\nThe dan.det-ploshadka[.]com certificate has also been used on the servers with IPs 45.90.59[.]17 (between July\r\nand September 2023), 45.129.199[.]122 (in September 2023), and 146.70.157[.]20 (in June 2023).\r\nAnother certificate, issued for the domain ssl.e-novauto[.]com , was also used on 146.70.157[.]20 in May\r\n2023. ssl.e-novauto[.]com , which has an overlap in subdomain naming convention with the\r\nssl.explorecell[.]com Sandman domain, last resolved to 172.67.216[.]63 (an IP address of a Cloud-based\r\nreverse proxy infrastructure). 146.70.157[.]20 is allocated to the Romanian hosting service provider M247.\r\nThumbprint: b6d759c9ea5d2136bacb1b2289a31c33500c8de8\r\nSerial number: 59961237898726280462746217792430024401815283068\r\nCommon Name: ssl.e-novauto[.]com\r\nIn common with dan.det-ploshadka[.]com , Microsoft and PwC have observed the  ssl.e-novauto[.]com\r\ndomain being used as a KEYPLUG C2 server and attribute the domain with high confidence to STORM-0866/Red Dev 40.\r\nAmong the other server IPs on which the ssl.e-novauto[.]com certificate was used ( 5.255.88[.]188 in\r\nOctober 2022; 5.2.67[.]176 between March and May 2023; 5.2.72[.]130 in April 2022; 37.120.140[.]205\r\nbetween March 2022 and May 2023; and 185.38.142[.]129 between October 2022 and January 2023),\r\n5.2.67[.]176 has been the resolving IP for the ssl.articella[.]com domain since January 2023. This domain\r\nhas an overlap in naming convention with the ssl.e-novauto[.]com STORM-0866/Red Dev 40 domain and the\r\nssl.explorecell[.]com Sandman domain.\r\nInfrastructure overview\r\nhttps://www.sentinelone.com/labs/sandman-apt-china-based-adversaries-embrace-lua/\r\nPage 3 of 10\n\nPwC tracks STORM-0866/Red Dev 40 as a distinct cluster from the other threat groups using the KEYPLUG\r\nmalware based on their frequent use of Cloud-based reverse proxy infrastructure, likely as an operational security\r\nmeasure to avoid exposing the true hosting locations. We observed this in the context of Sandman as well, noting a\r\nshift from using a directly exposed C2 server IP address (C2 domain: ssl.explorecell[.]com ) to address of a\r\nreverse proxy infrastructure (C2 domain: mode.encagil[.]com ).\r\nThe overlap of unique infrastructure control and management practices, hosting provider selections, and domain\r\nnaming conventions, indicates a likely relation between the Sandman and the STORM-0866/Red Dev 40 APT\r\nclusters from an infrastructure perspective.\r\nLuaDream and KEYPLUG\r\nLuaDream and KEYPLUG are distinct malware strains. KEYPLUG is implemented in C++, whereas the majority\r\nof the LuaDream functionalities are implemented in Lua. The samples that we analyzed do not share\r\nstraightforward indicators that would confidently classify them as closely related or originating from the same\r\nsource, such as use of identical encryption keys or direct overlaps in implementation. However, we observed\r\nindicators of shared development practices and some overlaps in functionalities and design, suggesting shared\r\nfunctional requirements by the operators. This is not uncommon in the Chinese malware landscape.\r\nWe also observed a code comment in Chinese in the main_proto_WinHttpServer component of LuaDream\r\nversion 11.0.2.1.23.1, indicating potential Chinese origin. However, we note that all other LuaDream string\r\nartifacts (function and variable names, and code comment, status, and error reporting strings) are formulated in\r\nEnglish.\r\nCode comment in LuaDream (translates from Chinese to “returned handle”)\r\nLuaDream is likely still in active development. It remains to be seen whether further iterations of the malware and\r\nits plugins will share implementation overlaps, functionality or design patterns with KEYPLUG or other malware\r\nstrains of suspected Chinese origin.\r\nC2 Protocols\r\nLuaDream and KEYPLUG are highly modular and multi-protocol in design, both implementing support for the\r\nHTTP, TCP, WebSocket, and QUIC protocols for C2 communication. The combination of QUIC and WebSocket\r\nhttps://www.sentinelone.com/labs/sandman-apt-china-based-adversaries-embrace-lua/\r\nPage 4 of 10\n\nis a relatively rare backdoor feature and its implementation in both LuaDream and KEYPLUG may be the result\r\nof a shared functional requirement by the backdoors’ operators.\r\nThe order in which LuaDream and KEYPLUG evaluate the configured protocol among HTTP, TCP, WebSocket,\r\nand QUIC is the same: HTTP, TCP, WebSocket, and QUIC in that order. The LuaDream keyword HTTPS2 refers\r\nto WebSocket and KEYPLUG implements additional support for UDP. We do not exclude the possibility for\r\nfuture versions of LuaDream to support UDP as well.\r\nLuaDream: Protocol handling\r\nhttps://www.sentinelone.com/labs/sandman-apt-china-based-adversaries-embrace-lua/\r\nPage 5 of 10\n\nKEYPLUG: Protocol handling\r\nFor each protocol, both LuaDream and KEYPLUG implement internal structures that store client data, such as the\r\nhandles to the established sockets to the C2 servers.\r\nExecution Flow and C2 Data Management\r\nThe high-level execution flows of LuaDream and KEYPLUG are very similar. Both backdoors first gather and\r\nexfiltrate system and user information in designated functions, with overlaps in gathered information (for\r\nexample, MAC address, OS version, IP address, computer name, and username).\r\nLuaDream and KEYPLUG then instantiate threads designated for sending and receiving C2 data, establish\r\nconnection to the C2 server, and continue to process backdoor commands and manage plugins. Plugin\r\nmanagement includes loading and unloading plugins.\r\nThe backdoors use global data buffers designated for storing data to be sent to the C2 server, and data received\r\nfrom the server. LuaDream and KEYPLUG read from the global buffers that store incoming C2 data and continue\r\nhttps://www.sentinelone.com/labs/sandman-apt-china-based-adversaries-embrace-lua/\r\nPage 6 of 10\n\nprocessing it when available.\r\nLuaDream and KEYPLUG store in designated internal structures overlapping information about the global\r\nbuffers, such as starting memory addresses, sizes, and pointers to Windows CRITICAL_SECTION structures.\r\nLuaDream defines this structure as _MEM_DATA_CACHE_ .\r\nLuaDream: Global buffer structure (decompiled LuaJIT bytecode)\r\nKEYPLUG: Global buffer structure (IDA-defined structure)\r\nLuaDream and KEYPLUG implement designated functions for reading from, and writing to, these buffers. These\r\nfunctions synchronize buffer access by multiple threads using Windows Critical Sections.\r\nhttps://www.sentinelone.com/labs/sandman-apt-china-based-adversaries-embrace-lua/\r\nPage 7 of 10\n\nLuaDream: Reading C2 data from a global buffer\r\nKEYPLUG: Reading C2 data from a global buffer\r\nhttps://www.sentinelone.com/labs/sandman-apt-china-based-adversaries-embrace-lua/\r\nPage 8 of 10\n\nThroughout their execution, both LuaDream and KEYPLUG generate one-time integer values based on the system\r\nuptime returned by the GetTickCount function. The backdoors calculate these values by applying modulo and/or\r\naddition operations to the system uptime. Some overlapping uses of the generated values are as sleep time\r\nintervals or protocol-specific keys, such as the Sec-WebSocket-Key packet header field that is used in the\r\nWebSocket opening handshake.\r\nLuaDream: Sleep interval\r\nKEYPLUG: Sleep interval\r\nConclusions\r\nWe assess that there are strong overlaps in operational infrastructure, targeting, and TTPs associating the Sandman\r\nAPT with China-based adversaries using the KEYPLUG backdoor, STORM-0866/Red Dev 40 in particular. This\r\nhighlights the complex nature of the Chinese threat landscape. Its constituent threat actors will almost certainly\r\ncontinue to cooperate and coordinate, exploring new approaches to upgrade the functionality, flexibility, and\r\nstealthiness of their malware. The adoption of the Lua development paradigm is a compelling illustration of this.\r\nNavigating the threat landscape calls for continuous collaboration and information sharing within the threat\r\nintelligence research community. SentinelLABS remains committed to this mission and is grateful to our industry\r\npartners involved in this collective endeavor.\r\nIndicators of Compromise\r\nDomains\r\ndan.det-ploshadka[.]com KEYPLUG C2 server\r\nmode.encagil[.]com LuaDream C2 server\r\nssl.articella[.]com Suspected KEYPLUG or LuaDream C2 server\r\nhttps://www.sentinelone.com/labs/sandman-apt-china-based-adversaries-embrace-lua/\r\nPage 9 of 10\n\nssl.e-novauto[.]com KEYPLUG C2 server\r\nssl.explorecell[.]com LuaDream C2 server\r\nyum.luxyries[.]com KEYPLUG C2 server\r\nIP Addresses\r\n146.70.157[.]20 KEYPLUG C2 server (based on known C2 certificates)\r\n172.67.216[.]63 KEYPLUG C2 server\r\n185.38.142[.]129 KEYPLUG C2 server (based on a known C2 certificate)\r\n185.51.134[.]27 LuaDream and KEYPLUG C2 (based on known C2 certificates)\r\n185.82.218[.]230 LuaDream C2 server\r\n37.120.140[.]205 KEYPLUG C2 server (according to a known C2 certificate)\r\n45.129.199[.]122 KEYPLUG C2 server (based on a known C2 certificate)\r\n45.80.148[.]151 LuaDream C2 (based on a known C2 certificate)\r\n45.90.59[.]17 KEYPLUG C2 server (according to a known C2 certificate)\r\n5.2.67[.]176 KEYPLUG C2 server (based on a known C2 certificate)\r\n5.2.72[.]130 KEYPLUG C2 server (based on a known C2 certificate)\r\n5.255.88[.]188 KEYPLUG C2 server (based on a known C2 certificate)\r\n79.110.52[.]160 KEYPLUG C2 server\r\nCertificate Thumbprints\r\na7932112b7880c95d77bc36c6fcced977f4a5889 KEYPLUG C2\r\nb6d759c9ea5d2136bacb1b2289a31c33500c8de8 KEYPLUG C2\r\nfc8fdf58cd945619cbfede40ba06aada10de9459 LuaDream C2\r\nSource: https://www.sentinelone.com/labs/sandman-apt-china-based-adversaries-embrace-lua/\r\nhttps://www.sentinelone.com/labs/sandman-apt-china-based-adversaries-embrace-lua/\r\nPage 10 of 10\n\n https://www.sentinelone.com/labs/sandman-apt-china-based-adversaries-embrace-lua/ \nLuaDream: Reading C2 data from a global buffer \nKEYPLUG: Reading C2 data from a global buffer\n Page 8 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.sentinelone.com/labs/sandman-apt-china-based-adversaries-embrace-lua/" ], "report_names": [ "sandman-apt-china-based-adversaries-embrace-lua" ], "threat_actors": [ { "id": "03e8b0b5-c7fb-424a-a67b-f40c3ba3f51c", "created_at": "2023-10-14T02:03:14.454929Z", "updated_at": "2026-04-10T02:00:04.882917Z", "deleted_at": null, "main_name": "Sandman", "aliases": [], "source_name": "ETDA:Sandman", "tools": [ "DreamLand", "LuaDream" ], "source_id": "ETDA", "reports": null }, { "id": "6fde2d10-cf90-4eae-a249-838a36f76075", "created_at": "2023-12-19T02:00:06.26466Z", "updated_at": "2026-04-10T02:00:03.498264Z", "deleted_at": null, "main_name": "Sandman APT", "aliases": [], "source_name": "MISPGALAXY:Sandman APT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434453, "ts_updated_at": 1775826777, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a22e30a1698902de3fb737da5de1cbe890b23fa7.pdf", "text": "https://archive.orkl.eu/a22e30a1698902de3fb737da5de1cbe890b23fa7.txt", "img": "https://archive.orkl.eu/a22e30a1698902de3fb737da5de1cbe890b23fa7.jpg" } }