Suspected Iranian Hackers Used Compromised Indian Firm’s Email to Target U.A.E. Aviation Sector

Mar 04, 2025Ravie LakshmananCyber Espionage / Malware

Threat hunters are calling attention to a new highly-targeted phishing campaign that singled out “fewer than five” entities in the United Arab Emirates (U.A.E.) to deliver a previously undocumented Golang backdoor dubbed Sosano.

The malicious activity was specifically directed against aviation and satellite communications organizations, according to Proofpoint, which detected it in late October 2024. The enterprise security firm is tracking the emerging cluster under the moniker UNK_CraftyCamel.

A noteworthy aspect of the attack chain is the fact that the adversary took advantage of its access to a compromised email account belonging to the Indian electronics company INDIC Electronics to send phishing messages. The entity is said to have been in a trusted business relationship with all the targets, with the lures tailored to each of them.

“UNK_CraftyCamel leveraged a compromised Indian electronics company to target fewer than five organizations in the United Arab Emirates with a malicious ZIP file that leveraged multiple polyglot files to eventually install a custom Go backdoor dubbed Sosano,” Proofpoint said in a report shared with The Hacker News.

The emails contained URLs that pointed to a bogus domain masquerading as the Indian company (“indicelectronics[.]net”), hosting a ZIP archive that included an XLS file and two PDF files.

But in reality, the XLS file was a Windows shortcut (LNK) using a double extension to pass off as a Microsoft Excel document. The two PDF files, on the other hand, turned out to be polyglots: one that was appended with an HTML Application (HTA) file and the other with a ZIP archive appended to it.

This also meant that both PDF files could be interpreted as two different valid formats depending on how they are parsed using programs like file explorers, command-line tools, and browsers.

The attack sequence analyzed by Proofpoint entails using the LNK file to launch cmd.exe and then using mshta.exe to run the PDF/HTA polyglot file, leading to the execution of the HTA script that, in turn, contains instructions to unpack the contents of the ZIP archive present within the second PDF.

One of the files in the second PDF is an internet shortcut (URL) file that’s responsible for loading a binary, which subsequently looks for an image file that’s ultimately XORed with the string “234567890abcdef” to decode and run the DLL backdoor called Sosano.

Written in Golang, the implant carries a limited functionality to establish contact with a command-and-control (C2) server and await further commands –

• sosano, to get current directory or change working directory
• yangom, to enumerate the contents of the current directory
• monday, to download and launch an unknown next-stage payload
• raian, to delete or remove a directory
• lunna, to execute a shell command

Proofpoint noted that the tradecraft demonstrated by UNK_CraftyCamel does not overlap with any other known threat actor or group.

“Our analysis suggests that this campaign is likely the work of an Iranian-aligned adversary, possibly affiliated with the Islamic Revolutionary Guard Corps (IRGC),” Joshua Miller, APT Staff Threat Researcher at Proofpoint, told The Hacker News. “The targeted sectors are crucial for both economic stability and national security, making them valuable intelligence targets in the broader geopolitical landscape.”

“This low volume, highly targeted phishing campaign leveraged multiple obfuscation techniques along with a trusted third-party compromise to target aviation, satellite communications, and critical transportation infrastructure in the U.A.E. It demonstrates the lengths to which state-aligned actors will go to evade detection and fulfill their intelligence collection mandates successfully.”

Upgrade your audio game with the Logitech for Creators Blue Yeti USB Microphone. With over 33,730 ratings and an impressive 4.6 out of 5 stars, it’s no wonder this is an Amazon’s Choice product. Recently, 5K+ units were purchased in the past month.

Available in five stunning colors: Teal, Silver, Pink Dawn, Midnight Blue, and Blackout, this microphone is perfect for creators looking to produce exceptional audio. Priced at only $84.99, it’s a deal you can’t afford to miss.

Elevate your recordings with clear broadcast-quality sound and explore your creativity with enhanced effects, advanced modulation, and HD audio samples. Order now for just $84.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!