Researchers Unmask Sandman APT’s Hidden Link to China-Based KEYPLUG Backdoor

The advanced persistent threat (APT) Sandman shares tactical and targeting overlaps with a China-based threat cluster using the backdoor, KEYPLUG. The assessment from SentinelOne, PwC, and Microsoft Threat Intelligence team indicates that Sandman and Storm-0866/Red Dev 40, both tracked by Microsoft and PwC, share common infrastructure control, management practices, and other key development practices. SentinelOne first exposed Sandman’s attacks on different regions in 2023.