- These Pixel earbuds are a must-have for Android users - and they're still on sale
- Apple Watch Series 9 vs. Series 8: Which model should you buy?
- SolarWinds buys Squadcast to speed incident response
- Once uBlock Origin stops working on Chrome, you have 2 options
- Avoid unexpected credit card charges with my ultimate online shopping hack
New Cyber-Espionage Campaign Targets UAE Aviation and Transport
A new cyber-espionage campaign targeting aviation, satellite communications and critical transportation infrastructure in the United Arab Emirates has been uncovered by cybersecurity researchers.
The attack, attributed by Proofpoint to a cluster known as UNK_CraftyCamel, employed a sophisticated infection chain to deploy a newly discovered backdoor named Sosano.
Highly Targeted Attack
The campaign, which took place in the fall of 2024, targeted fewer than five organizations with malicious emails sent from a compromised Indian electronics company, INDIC Electronics. The threat actors used highly customized lures, delivering a ZIP file containing polyglot files to bypass security detections and deploy malware undetected.
“Polyglot files are files that can be interpreted as multiple different formats, depending on how they are read,” Proofpoint explained.
“They are created by carefully structuring data so that different parsers interpret the same file differently, often by exploiting format-specific quirks or overlapping headers. They are not commonly used in everyday software development but remain a niche, powerful tool in specialized technical domains.”
Because of this, the researchers believe the use of such techniques demonstrates an advanced adversary with a focus on stealth and obfuscation.
Sosano Backdoor and Infection Chain
The infection chain identified by Proofpoint began with a ZIP file containing what appeared to be an XLS file and two PDFs. In reality, the XLS file was an LNK file using a deceptive double extension, and the PDFs were polyglots – one containing an embedded HTA file and the other a hidden ZIP archive. When executed, these files launched a process to extract and run Sosano.
Sosano is a backdoor written in Golang, designed to evade detection by bloating its code with unnecessary libraries. Upon execution, it establishes a connection with a command-and-control (C2) server and waits for commands. These include listing directories, executing shell commands and downloading additional payloads.
Read more on cyber-espionage tactics: Chinese Cyber Espionage Jumps 150%, CrowdStrike Finds
Attribution and Analysis
Proofpoint has tracked UNK_CraftyCamel as a distinct intrusion cluster. While some tactics and techniques overlap with known Iranian-aligned threat actors such as TA451 and TA455, the researchers have not definitively linked this activity to any previously identified group.
The attackers’ focus on aviation and satellite communications in the UAE suggests a strategic intelligence-gathering motive.
Security teams have several opportunities to detect the Sosano malware infection chain, including monitoring for LNK files executing from newly created or unzipped directories, the presence of a URL file in the registry run key and URL files launching anything other than a web browser.
Additionally, detecting executable files accessing JPG files from user directories can help identify potential threats before they execute malicious payloads.
“In addition to detection opportunities described, organizations should train users to be suspicious of unexpected or unrecognized content originating from known contacts, and identify common characteristics of malicious content such as domain impersonation using alternate top-level domains,” Proofpoint advised.
