The article discusses the overlap between the APT named Sandman, which uses the LuaDream implant, and a China-based threat cluster using the KEYPLUG backdoor. The assessment comes from SentinelOne, PwC, and the Microsoft Threat Intelligence team. The article also describes the shared infrastructure and management practices, domain naming conventions, and similarities in functionalities and design between the two adversaries. The article then provides information about the Sandman APT and the Storm-0866/Red Dev 40, including their targeting and tools used. It also highlights the shared development practices and overlaps in functionalities and design between LuaDream and KEYPLUG. Lastly, the article discusses the use of uncommon programming languages and the complex nature of the Chinese threat landscape.