Introduction
In late October 2023 [3] [8] [9], a sophisticated cyber-espionage campaign [2] [5] [9], dubbed UNK_CraftyCamel [1] [2] [4] [5] [6] [10], was uncovered. This operation targeted critical infrastructure organizations in the United Arab Emirates [2], specifically within the aviation [8] [9] [10], satellite communications [1] [2] [3] [4] [5] [6] [7] [8] [9] [10], and critical transportation sectors [1] [4] [6] [8] [10]. The campaign is attributed to Iranian-aligned threat actors and highlights the ongoing threat of state-sponsored cyber activities in the Middle East.
Description
In late October 2023 [3] [8] [9], a sophisticated cyber-espionage campaign known as UNK_CraftyCamel was identified, targeting a select group of fewer than five critical infrastructure organizations in the United Arab Emirates (UAE), specifically within the aviation [8] [9] [10], satellite communications [1] [2] [3] [4] [5] [6] [7] [8] [9] [10], and critical transportation sectors [1] [4] [6] [8] [10]. This operation [5] [9], attributed to Iranian-aligned threat actors [1], involved the compromise of an email account at INDIC Electronics, an Indian electronics firm [5] [7] [8], which was exploited to send highly-targeted phishing emails tailored to the recipients. These emails contained a ZIP file hosted on a fraudulent domain mimicking the legitimate company [7], featuring an XLS file disguised as a Microsoft Excel document and two polyglot PDF files [7]. The XLS file was actually an LNK file with a double extension [1] [4], while the PDFs included an embedded HTA file and a hidden ZIP archive [4]. The malicious content was designed to leverage trusted business relationships, leading recipients to download the ZIP archive [5].
The infection chain initiated with the execution of the deceptive files within the ZIP archive, which triggered a sequence involving cmd.exe and mshta.exe processes [5], ultimately installing the newly discovered Sosano backdoor. Developed in Golang [5] [9], this backdoor is notable for its complexity and significant obfuscation techniques, complicating analysis for cybersecurity experts [5]. Once executed, Sosano establishes communication with a command-and-control (C2) server to receive further instructions [7], including directory navigation [5], shell command execution [5], and payload downloading [1] [5]. Evasion tactics [1] [5], such as bloating its code with unnecessary libraries and random sleep routines, are employed to avoid detection by automated analysis tools [5] [8].
Proofpoint has tracked UNK_CraftyCamel as a distinct intrusion cluster [1], noting some overlap in tactics with known Iranian-aligned groups like TA451 and TA455, although no definitive links have been established [1]. The focus on aviation and satellite communications suggests a strategic motive for intelligence gathering [1] [4], reflecting a broader trend of state-sponsored cyber activities targeting critical infrastructure in the Middle East [9]. The targeting of these sectors aligns with historical patterns where they are viewed as vital for national security and economic stability [9]. Successful breaches could lead to significant disruptions in aviation operations [9], impacting both domestic and international flights [9], and pose risks to national security through potential data theft [9].
From a military perspective [9], the targeting of aviation and satellite communications may provide strategic advantages in the event of military conflict [9], underscoring the importance of cybersecurity in national defense strategies [9]. Security teams are advised to monitor for specific indicators of the Sosano malware infection chain [1], such as LNK files executing from newly created directories and unusual URL file activity in the registry [1]. Additionally, enhancing employee training to recognize suspicious content from known contacts is recommended to bolster defenses against such threats [1], emphasizing the need for nations and organizations to remain vigilant and proactive in their cybersecurity efforts [9].
Conclusion
The UNK_CraftyCamel campaign underscores the persistent threat posed by state-sponsored cyber-espionage, particularly in regions with critical infrastructure. The potential impacts of such operations include significant disruptions to essential services and threats to national security. To mitigate these risks, organizations must enhance their cybersecurity measures, including monitoring for specific malware indicators and improving employee awareness. As cyber threats continue to evolve, maintaining vigilance and proactive defense strategies will be crucial in safeguarding national and economic stability.
References
[1] https://osintcorp.net/new-cyber-espionage-campaign-targets-uae-aviation-and-transport/
[2] https://undercodenews.com/new-cyber-espionage-campaign-targets-uaes-aviation-satellite-and-transportation-sectors/
[3] https://cyber.vumetric.com/security-news/2025/03/04/suspected-iranian-hackers-used-compromised-indian-firm-s-email-to-target-u-a-e-aviation-sector/
[4] https://ciso2ciso.com/new-cyber-espionage-campaign-targets-uae-aviation-and-transport-source-www-infosecurity-magazine-com/
[5] https://gbhackers.com/hackers-exploiting-business-relationships-to-attack/
[6] https://www.infosecurity-magazine.com/news/espionage-campaign-targets-uae/
[7] https://tech-wire.in/technology/cyber-security/suspected-iranian-hackers-used-compromised-indian-firms-email-to-target-u-a-e-aviation-sector/
[8] https://www.csoonline.com/article/3837964/polyglot-files-used-to-spread-new-backdoor.html
[9] https://www.osintsights.com/2025/03/04/iranian-hackers-exploit-compromised-indian-firms-email-to-attack-u-a-e-aviation-industry/
[10] https://www.proofpoint.com/us/blog/threat-insight/call-it-what-you-want-threat-actor-delivers-highly-targeted-multistage-polyglot
