UNK_CraftyCamel: New Threat Group Using Polyglot Malware in UAE

Cybersecurity researchers at Proofpoint have identified a highly targeted cyber-espionage campaign employing polyglot malware to compromise aviation, satellite communications, and transportation infrastructure organizations in the United Arab Emirates (UAE). The campaign, attributed to a new threat cluster named UNK_CraftyCamel, leverages advanced obfuscation techniques to evade detection and deliver a custom Go-based backdoor, Sosano.

The attack, observed in fall 2024, originated from a compromised Indian electronics company, which was used as a launchpad to send malicious emails to fewer than five high-value UAE-based targets.

According to Proofpoint researchers: “The malicious messages were sent from a compromised entity in a trusted business relationship with the targets, and used lures customized to every target.”

This spearphishing campaign used a ZIP archive that contained polyglot files, a technique rarely seen among espionage-motivated threat actors. The attackers’ meticulous customization of their payloads suggests a well-resourced adversary with an interest in avoiding detection and protecting their malware from analysis.

The polyglot files delivered via malicious emails contained a dual-structured payload, designed to be interpreted differently depending on the application reading the file. The ZIP archive masqueraded as containing:

• An XLS file, which was actually a Windows shortcut (LNK) file.
• Two PDF files, which were embedded with HTA and ZIP payloads.

“Polyglot files are files that can be interpreted as multiple different formats, depending on how they are read. They are created by carefully structuring data so that different parsers interpret the same file differently,” the report states.

These files allowed attackers to bypass security defenses and execute malicious payloads while appearing benign to traditional scanning tools.

Once the polyglot malware was executed, it installed Sosano, a custom Go-based backdoor designed to establish persistence and provide remote control to the attackers. Sosano was heavily obfuscated, employing unnecessary Golang libraries to increase its size (12MB) and deter reverse engineering.

Upon execution, the malware:

• Sleeps for a random duration to evade sandbox detection.
• Attempts to connect to its Command-and-Control (C2) server (bokhoreshonline[.]com).
• Executes attacker-controlled commands, including file downloads, directory modifications, and shell execution.

The backdoor supports several commands, including:

• sosano – Retrieve and modify working directories.
• yangom – List directory contents.
• monday – Download and execute additional payloads.
• raian – Delete directories.
• lunna – Execute shell commands.

Proofpoint notes: “The Sosano backdoor can download and execute a next stage payload called “cc[.]exe”, but that file was not available from the remote server during our investigation.”

The attackers used a compromised email account to deliver phishing emails, hosting malicious ZIP archives on indicelectronics[.]net, a domain closely resembling the legitimate Indian electronics firm. Meanwhile, Sosano’s C2 server, bokhoreshonline[.]com, resolved to 104.238.57[.]61, an IP associated with commercial hosting provider CrownCloud.

While no direct attribution has been made, researchers identified tactical overlaps with Iranian-aligned groups such as TA451 and TA455, both known for targeting aerospace organizations.

Related Posts:

• Zip Slip vulnerability affect thousands of projects
• JPCERT Exposes ‘MalDoc in PDF’: The Stealthy Cyber Threat