diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index a00fe33..e9b6cc9 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -13785,7 +13785,47 @@
       },
       "uuid": "86dfe64e-7101-4d45-bb94-efc40c5e14fe",
       "value": "UNC2630"
+    },
+    {
+      "description": "First disclosed in 2023, the Sandman APT is likely associated with suspected China-based threat clusters known for using the KEYPLUG backdoor, specifically STORM-0866/Red Dev 40. Sandman is tracked as a distinct cluster, pending additional conclusive information. A notable characteristic is its use of the LuaDream backdoor. LuaDream is based on the Lua platform, a relatively rare occurrence in the cyberespionage domain, historically associated with APTs considered Western or Western-aligned.",
+      "meta": {
+        "attribution-confidence": "50",
+        "cfr-suspected-state-sponsor": "China",
+        "cfr-suspected-victims": [
+          "Middle East",
+          "Southeast Asian",
+          "France",
+          "Egypt",
+          "Sudan",
+          "South Sudan",
+          "Libya",
+          "Turkey",
+          "Saudi Arabia",
+          "Oman",
+          "Yemen",
+          "Sri Lanka",
+          "India",
+          "Pakistan",
+          "Iran",
+          "Afghanistan",
+          "Kuwait",
+          "Iraq",
+          "United Arab Emirates"
+        ],
+        "cfr-target-category": [
+          "Government",
+          "Telecommunications"
+        ],
+        "cfr-type-of-incident": "Espionage",
+        "country": "CN",
+        "references": [
+          "https://www.sentinelone.com/labs/sandman-apt-china-based-adversaries-embrace-lua/",
+          "https://www.sentinelone.com/labs/sandman-apt-a-mystery-group-targeting-telcos-with-a-luajit-toolkit/"
+        ]
+      },
+      "uuid": "00b84012-fa25-4942-ad64-c76be24828a8",
+      "value": "Sandman APT"
     }
   ],
-  "version": 295
+  "version": 296
 }