HomeWinBuzzer NewsLuaDream Backdoor: Cyberattacks Targeting Telecommunication Providers across Western Europe

LuaDream Backdoor: Cyberattacks Targeting Telecommunication Providers across Western Europe

Threat actor Sandman uses the LuaDream backdoor on LuaJIT, indicating a stealthy, large-scale project.


SentinelLabs has uncovered a series of cyber-attacks primarily targeting telecommunication providers across Western Europe, the Middle East, and South Asia. Dubbed as Sandman, this unknown threat actor has been utilizing a novel modular backdoor, termed LuaDream, built on the LuaJIT platform. The meticulous implementation of LuaDream indicates a well-orchestrated, large-scale project, actively under development. The actor's strategic movements and minimal engagements hint at a deliberate attempt to avoid detection.

LuaDream: A Cloak of Invisibility

LuaDream's architecture is designed to be elusive, making the malicious Lua script code challenging to detect. The malware is capable of exfiltrating system and user information, setting the stage for more targeted attacks. It also manages attacker-provided plugins that extend its features. The malware's intricate staging process and its ability to communicate over multiple protocols, including TCP, HTTPS, WebSocket, and QUIC, showcase its advanced capabilities. Interestingly, LuaDream's development style and the use of LuaJIT, typically associated with advanced , have raised suspicions regarding its origin.

A Global Hunt for Telecommunication Data

The geographical distribution of the victims reveals a pronounced focus on telecommunication providers. These providers are often the target of espionage activities due to the sensitive data they possess. The activities observed by SentinelLabs, coupled with the examination of C2 netflow data, indicate a broad geographical targeting, encompassing regions such as the Middle East, Western Europe, and the South Asian subcontinent. The motivation behind these attacks is highly likely to be espionage, given the nature of the targeted sector and the characteristics of the deployed malware.

Attribution Remains a Mystery

Attributing the Sandman APT to a specific origin remains challenging. The inconsistencies between the high-end development of LuaDream and poor segmentation practices have led researchers to consider the possibility of a private contractor or mercenary group being involved. The use of LuaJIT in the context of APT malware is relatively rare, but its adoption is broadening. SentinelLabs remains committed to unraveling the mysteries of such elusive threat actors and hopes that their findings will spur further collaborative efforts in the research community.

Markus Kasanmascheff
Markus Kasanmascheff
Markus is the founder of WinBuzzer and has been playing with Windows and technology for more than 25 years. He is holding a MasterĀ“s degree in International Economics and previously worked as Lead Windows Expert for Softonic.com.

Recent News