Security researchers at SentinelLabs, in collaboration with QGroup, have unveiled a new threat actor known as Sandman. This unidentified group has been launching targeted attacks on telecommunications providers in regions including the Middle East, Western Europe and South Asia.
According to an advisory published by SentinelLabs on Thursday, Sandman’s tactics are marked by stealthy lateral movements and minimal interactions, suggesting a meticulous strategy to avoid detection. The group’s weapon of choice is a novel modular backdoor named LuaDream, which is built on the LuaJIT platform, a rarity in the cyber threat landscape.
Despite extensive investigation, Sandman’s origins and motivations remain unknown. While its development style aligns with advanced threat actors, discrepancies between its high-end malware development and poor segmentation practices have raised suspicions that it may be a private contractor or mercenary group.
SentinelLabs senior threat researcher Aleksandar Milenkoski highlighted that the Sandman’s APT activities, observed in August 2023, point to espionage motivations, a common objective when targeting telecommunication providers due to the sensitive data they possess.
While the origins of LuaDream remain obscure, its deployment showcases a highly organized and actively evolving project. The backdoor has capabilities that encompass exfiltration of system and user data, along with the management of attacker-provided plugins, indicating advanced sophistication.
This discovery highlights the evolving threat landscape, with previously unseen actors like Sandman deploying cutting-edge tools to pursue their objectives. The true identity of Sandman and its backers remains a puzzle, underscoring the need for continued collaboration and information sharing within the cybersecurity community.
“LuaDream stands as a compelling illustration of the continuous innovation and advancement efforts that cyber espionage threat actors pour into their ever-evolving malware arsenal,” Milenkoski wrote.
“Navigating the shadows of the threat landscape necessitates consistent cooperation and information sharing within the threat intelligence research community.”
SentinelLabs has highlighted its commitment to shedding light on such threats and hopes this revelation will spark further joint efforts to counter cyber-threats.