Sandman APT Infiltrates Telecommunications Companies Using LuaDream Backdoor

A new threat actor called Sandman has been targeting telecommunication providers in the Middle East, Western Europe, and the South Asian subcontinent. They have deployed a modular backdoor called LuaDream, which is based on the LuaJIT platform. Sandman's activities involve strategic lateral movements and minimal engagement to avoid detection. The implementation of LuaDream indicates a well-developed and actively maintained project. The attribution of Sandman is unclear, but it is speculated that they may be a private contractor or mercenary group. The activities of Sandman suggest espionage motivations, as telecommunication providers hold sensitive data. The LuaDream backdoor is designed to evade detection and operates by deploying malware directly into memory. Sandman has a particular focus on targeting telecommunication providers across different geographic regions. The LuaDream staging process involves multiple stages and includes anti-analysis measures.