Advanced persistent threat operation Sandman
and Chinese threat cluster Storm-0866, also known as Red Dev 40, had significantly similar attack techniques as evidenced by the coexistence of their LuaDream and KEYPLUG malware, respectively, in the same networks, The Hacker News
Aside from the same infrastructure control and management practices between both Sandman and Storm-0866, the operations' respective backdoors also had similar designs and functionalities, according to a report from PwC, SentinelOne, and the Microsoft Threat Intelligence team.
"The order in which LuaDream and KEYPLUG evaluate the configured protocol among HTTP, TCP, WebSocket, and QUIC is the same: HTTP, TCP, WebSocket, and QUIC in that order. The high-level execution flows of LuaDream and KEYPLUG are very similar," said researchers.
While there has been no evidence suggesting that LuaDream and KEYPLUG are developed by a single vendor, it is possible that malware could be supplied by dedicated channels across the Chinese threat landscape, said SentinelLabs researcher Aleksandar Milenkoski.