The article discusses the overlap between the APT named Sandman, which uses the LuaDream implant, and a China-based threat cluster using the KEYPLUG backdoor. The assessment comes from SentinelOne, PwC, and the Microsoft Threat Intelligence team. The article also describes the shared infrastructure and management practices, domain naming conventions, and similarities in functionalities and design between the two adversaries. The article then provides information about the Sandman APT and the Storm-0866/Red Dev 40, including their targeting and tools used. It also highlights the shared development practices and overlaps in functionalities and design between LuaDream and KEYPLUG. Lastly, the article discusses the use of uncommon programming languages and the complex nature of the Chinese threat landscape.


Full Stack Developer

About the Author

I’m passionate about web development and design in all its forms, helping small businesses build and improve their online presence. I spend a lot of time learning new techniques and actively helping other people learn web development through a variety of help groups and writing tutorials for my blog about advancements in web design and development.

View Articles