diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index a00fe33..e9b6cc9 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13785,7 +13785,47 @@ }, "uuid": "86dfe64e-7101-4d45-bb94-efc40c5e14fe", "value": "UNC2630" + }, + { + "description": "First disclosed in 2023, the Sandman APT is likely associated with suspected China-based threat clusters known for using the KEYPLUG backdoor, specifically STORM-0866/Red Dev 40. Sandman is tracked as a distinct cluster, pending additional conclusive information. A notable characteristic is its use of the LuaDream backdoor. LuaDream is based on the Lua platform, a relatively rare occurrence in the cyberespionage domain, historically associated with APTs considered Western or Western-aligned.", + "meta": { + "attribution-confidence": "50", + "cfr-suspected-state-sponsor": "China", + "cfr-suspected-victims": [ + "Middle East", + "Southeast Asian", + "France", + "Egypt", + "Sudan", + "South Sudan", + "Libya", + "Turkey", + "Saudi Arabia", + "Oman", + "Yemen", + "Sri Lanka", + "India", + "Pakistan", + "Iran", + "Afghanistan", + "Kuwait", + "Iraq", + "United Arab Emirates" + ], + "cfr-target-category": [ + "Government", + "Telecommunications" + ], + "cfr-type-of-incident": "Espionage", + "country": "CN", + "references": [ + "https://www.sentinelone.com/labs/sandman-apt-china-based-adversaries-embrace-lua/", + "https://www.sentinelone.com/labs/sandman-apt-a-mystery-group-targeting-telcos-with-a-luajit-toolkit/" + ] + }, + "uuid": "00b84012-fa25-4942-ad64-c76be24828a8", + "value": "Sandman APT" } ], - "version": 295 + "version": 296 }