• Vulnerable U
  • Posts
  • Highly Targeted Polyglot Malware Campaign Hits UAE Aviation and Satellite Firms

Highly Targeted Polyglot Malware Campaign Hits UAE Aviation and Satellite Firms

A sophisticated cyber espionage campaign, dubbed UNK_CraftyCamel, is targeting aviation and satellite organizations in the UAE. Attackers use polyglot files, a custom Go-based backdoor (Sosano), and compromised business accounts to evade detection.

Author

Newsroom
March 06, 2025

A sophisticated threat actor has launched a highly targeted malware campaign against aviation and satellite communications organizations in the United Arab Emirates, using polyglot files and a custom backdoor to evade detection.

Cybersecurity firm Proofpoint uncovered the operation—dubbed UNK_CraftyCamel—in late October 2024. The campaign leveraged compromised business relationships and tailored lures to deliver a multistage infection chain, ultimately deploying a new Go-based backdoor named Sosano.

Highly Targeted Attack Using Business Compromise

The attackers compromised an email account belonging to Indian electronics company INDIC Electronics and used it to send malicious messages to fewer than five organizations in the UAE. These emails contained links to a malicious ZIP file hosted on a domain designed to mimic the legitimate company: indicelectronics[.]net.

Upon analysis, researchers found the ZIP archive contained cleverly disguised malware components using polyglot files—a relatively rare technique in espionage operations.

Polyglot Files and Multistage Execution

Polyglot files are structured so they can be interpreted as multiple file formats, depending on how they are read. This allows attackers to hide malicious content within seemingly legitimate files, making detection more difficult.

In this campaign:

  • The ZIP archive contained what appeared to be an Excel file and two PDFs, but…

    • The Excel file was actually an LNK shortcut file using a double extension trick.

    • The PDFs were polyglot files, with one containing an embedded HTA script and the other a ZIP archive.

Malware Execution Chain

  1. The LNK file launched cmd.exe, which executed mshta.exe to run the PDF/HTA polyglot.

  2. The HTA script acted as an orchestrator:

    • It extracted additional components from the second PDF file.

    • It wrote a URL file to the Windows registry for persistence.

    • It launched a malicious loader named Hyper-Info.exe.

  3. The loader searched for "sosano.jpg" in the extracted ZIP archive:

    • This file was XOR-encoded with a hardcoded key (1234567890abcdef).

    • The decrypted output was a DLL file named "yourdllfinal.dll"—the Sosano backdoor.

Sosano Backdoor: Golang-Based Espionage Tool

The Sosano backdoor is a 12MB Golang-based DLL, designed for stealth and resilience:

  • Despite its large size, it contains only a small set of malicious functions.

  • The excess file size appears to be an intentional obfuscation technique, bloating the binary with unused Golang libraries to complicate analysis.

  • Sosano contains built-in evasion tactics:

    • It sleeps for a random time interval on execution to avoid detection.

    • It establishes encrypted HTTP communications with its C2 server at bokhoreshonline[.]com.

Sosano’s Command Capabilities

Once connected to its command and control (C2) server, Sosano can execute various commands:

Command

Function

sosano

Get current directory / change working directory

yangom

List files in the current directory

monday

Download and execute additional payloads

raian

Delete a specified directory

lunna

Execute arbitrary shell commands

The malware also has functionality to download and execute a second-stage payload ("cc.exe"), though this file was unavailable at the time of Proofpoint’s analysis.

Ties to Iranian-Aligned Threat Groups

Proofpoint’s assessment indicates that UNK_CraftyCamel does not yet align with any previously tracked espionage groups, but there are notable similarities with Iranian-linked adversaries, specifically TA451 and TA455—both historically associated with Iran’s Islamic Revolutionary Guard Corps (IRGC) cyber operations.

TTP Overlap

TA451

TA455

UNK_CraftyCamel

Use of HTA files

Targeting aerospace & satellite industries

Lures disguised as business proposals

Despite these overlaps, Proofpoint currently considers UNK_CraftyCamel a distinct cluster of activity.

Detection & Mitigation

Security teams should monitor for multiple detection opportunities within the infection chain:

  • LNK file execution from recently created or unzipped directories.

  • URL files in the Windows registry launching non-browser executables.

  • Executable files accessing image files (.jpg) from unexpected locations.

  • Unusual outbound connections to bokhoreshonline[.]com.

Proofpoint has released indicators of compromise (IoCs) and Emerging Threats (ET) detection rules to help organizations detect and respond to this evolving threat.

Conclusion

The UNK_CraftyCamel campaign highlights the growing sophistication of nation-state-backed espionage and the continued risk posed by trusted third-party compromises. Organizations in critical industries—particularly aviation, satellite communications, and transportation infrastructure—should remain on high alert.

Proofpoint urges organizations to:

  • Strengthen email security policies to detect malicious URLs.

  • Train employees on phishing awareness, especially spear-phishing attacks from trusted contacts.

  • Implement behavioral analysis for suspicious script execution, especially HTA and LNK file activity.

This highly targeted campaign demonstrates that adversaries are constantly refining their tradecraft, making detection and defense a continuous challenge for cybersecurity teams worldwide.