Sandman [1] [2] [3] [4] [5] [6], an unidentified threat actor, has been identified as the perpetrator of cyber attacks targeting telecommunications providers in the Middle East [2], Western Europe [1] [2] [3] [4] [6], and the South Asian subcontinent [1] [2] [6]. This individual or group is suspected to be an espionage-focused actor, possibly a private contractor or mercenary organization [5], aiming to gather sensitive data from telcos [5].


Sandman employs stealthy lateral movements and minimal interactions to avoid detection in their attacks [4]. They utilize a modular backdoor called LuaDream [4], which is built on the LuaJIT platform [4]. LuaDream is believed to be a variant of a new malware strain known as DreamLand and utilizes the Lua scripting language and JIT compiler to execute difficult-to-detect malicious code [6]. The source code of the implant suggests that preparatory work has been ongoing for over a year.

LuaDream is responsible for stealing administrative credentials and conducting reconnaissance to breach workstations and deliver the malware [1]. It is a highly organized and evolving project with advanced capabilities for exfiltrating data and managing attacker-provided plugins [4]. Sandman’s true identity remains unknown, highlighting the need for collaboration and information sharing in the cybersecurity community [4].

LuaDream is a modular [1] [6], multi-protocol backdoor that exfiltrates system and user information and communicates via command-and-control using the WebSocket protocol [1]. Sandman’s activities and the use of complex malware indicate a motivated and capable adversary [5]. The LuaDream staging chain is designed to evade detection and deploy the malware directly into memory [5].

Similar to other mysterious threat actors like Metador [5], Sandman has targeted telcos across a wide geographical region [5]. This demonstrates the continuous innovation and advancement efforts of cyber espionage threat actors in developing their malware arsenal [6]. Sandman operates covertly to gain long-term access to breached systems for cyberespionage purposes [3]. They gain initial access to corporate networks using stolen administrative credentials and employ “pass-the-hash” attacks to authenticate to remote servers and services [3]. Sandman has shown particular interest in privileged or confidential information [3], often targeting managerial personnel [3].

LuaDream [1] [2] [3] [4] [5] [6], the malware used by Sandman [3], is a new and actively developed modular malware that collects data and executes plugins received from a command and control server [3]. The malware’s staging process involves sophisticated anti-analysis measures to evade detection [3]. LuaDream consists of 34 components, with core components handling primary functions and support components dealing with technical aspects [3].


The true identity of Sandman remains a mystery [4], but their activities and the use of complex malware highlight the need for increased collaboration and information sharing in the cybersecurity community. Telcos continue to be prime targets for APTs, showcasing the ongoing efforts of cyber espionage threat actors in developing their malware capabilities. Mitigating the threat posed by Sandman and similar actors requires a proactive approach and continuous innovation in cybersecurity measures.