Sandman APT

SentinelLabs has observed a new cluster of threat activity by an unknown threat actor they have dubbed Sandman. Sandman primarily targets telecommunications providers in the Middle East, Western Europe and the South Asian subcontinent.
The activities are characterized by strategic lateral movements and minimal engagements, presumably to minimize the risk of detection.
Sandman has deployed a new modular backdoor using the LuaJIT platform, which is relatively rare in the threat landscape. They refer to this malware as LuaDream. Possible IOCs:

SHA1 > File name
|1cd0a3dd6354a3d4a29226f5580f8a51ec3837d4 |fax.dat|
|27894955aaf082a606337ebe29d263263be52154 |fax.Application|
|5302c39764922f17e4bc14f589fa45408f8a5089 |ualapi.dll|
|77e00e3067f23df10196412f231e80cec41c5253 |fax.cache|
|b9ea189e2420a29978e4dc73d8d2fd801f6a0db2 |UpdateCheck.dll|
|fb1c6a23e8e0693194a365619b388b09155c2183 |updater.ver|
|ff2802cdbc40d2ef3585357b7e6947d42b875884 |fax.module|

LuaDream Folder File paths

C2 Server Domains

Does InsightIDR have a detection rule for this or how to write a Rule considering the above IOCs?