From 0dd2f95a50f4b2fda5273da680733fd25c6d51b4 Mon Sep 17 00:00:00 2001
From: jstnk9 <joselsm94@gmail.com>
Date: Fri, 15 Dec 2023 12:28:38 +0100
Subject: [PATCH 1/2] new threat actor - Sandman APT

new threat actor - Sandman APT
---
 clusters/threat-actor.json | 40 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index a00fe336..f9cfe238 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -13785,6 +13785,46 @@
       },
       "uuid": "86dfe64e-7101-4d45-bb94-efc40c5e14fe",
       "value": "UNC2630"
+    },
+    {
+      "description": "First disclosed in 2023, the Sandman APT is likely associated with suspected China-based threat clusters known for using the KEYPLUG backdoor, specifically STORM-0866/Red Dev 40. Sandman is tracked as a distinct cluster, pending additional conclusive information. A notable characteristic is its use of the LuaDream backdoor. LuaDream is based on the Lua platform, a relatively rare occurrence in the cyberespionage domain, historically associated with APTs considered Western or Western-aligned.",
+      "meta": {
+        "cfr-suspected-victims": [
+          "Middle East",
+          "Southeast Asian",
+          "France",
+          "Egypt",
+          "Sudan",
+          "South Sudan"
+          "Libya",
+          "Turkey",
+          "Saudi Arabia",
+          "Oman",
+          "Yemen",
+          "Sri Lanka",
+          "India",
+          "Pakistan",
+          "Iran",
+          "Afghanistan",
+          "Kuwait",
+          "Iraq",
+          "United Arab Emirates"
+        ],
+        "cfr-target-category": [
+          "Government",
+          "Telecommunications"
+        ],
+        "attribution-confidence": "50",
+        "country": "CN",
+        "cfr-suspected-state-sponsor": "China",
+        "cfr-type-of-incident": "Espionage",
+        "references": [
+          "https://www.sentinelone.com/labs/sandman-apt-china-based-adversaries-embrace-lua/",
+          "https://www.sentinelone.com/labs/sandman-apt-a-mystery-group-targeting-telcos-with-a-luajit-toolkit/"
+        ]
+      },
+      "uuid": "00b84012-fa25-4942-ad64-c76be24828a8",
+      "value": "Sandman APT"
     }
   ],
   "version": 295

From c3061256792b324e271faf988f7ca8e22aba3939 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Mon, 18 Dec 2023 14:43:21 +0100
Subject: [PATCH 2/2] fix: [threat-actor] fix JSON

---
 clusters/threat-actor.json | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index f9cfe238..e9b6cc9b 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -13789,13 +13789,15 @@
     {
       "description": "First disclosed in 2023, the Sandman APT is likely associated with suspected China-based threat clusters known for using the KEYPLUG backdoor, specifically STORM-0866/Red Dev 40. Sandman is tracked as a distinct cluster, pending additional conclusive information. A notable characteristic is its use of the LuaDream backdoor. LuaDream is based on the Lua platform, a relatively rare occurrence in the cyberespionage domain, historically associated with APTs considered Western or Western-aligned.",
       "meta": {
+        "attribution-confidence": "50",
+        "cfr-suspected-state-sponsor": "China",
         "cfr-suspected-victims": [
           "Middle East",
           "Southeast Asian",
           "France",
           "Egypt",
           "Sudan",
-          "South Sudan"
+          "South Sudan",
           "Libya",
           "Turkey",
           "Saudi Arabia",
@@ -13814,10 +13816,8 @@
           "Government",
           "Telecommunications"
         ],
-        "attribution-confidence": "50",
-        "country": "CN",
-        "cfr-suspected-state-sponsor": "China",
         "cfr-type-of-incident": "Espionage",
+        "country": "CN",
         "references": [
           "https://www.sentinelone.com/labs/sandman-apt-china-based-adversaries-embrace-lua/",
           "https://www.sentinelone.com/labs/sandman-apt-a-mystery-group-targeting-telcos-with-a-luajit-toolkit/"
@@ -13827,5 +13827,5 @@
       "value": "Sandman APT"
     }
   ],
-  "version": 295
+  "version": 296
 }