Aviaton firms hit by devious new polyglot malware

News
By
published

Someone is engaged in a highly targeted attack against UAE aviation companies

Red padlock open on electric circuits network dark red background
(Image credit: Shutterstock/Chor muang)
  • Proofpoint observes a sophisticated BEC attack in the UAE
  • The attackers used a compromised email account to share polyglot files with their victims
  • These files deploy a hidden backdoor against aviation firms

Aviation firms in the United Arab Emirates (UAE) were recently targeted by a highly sophisticated business email compromise (BEC) attack looking to deploy advanced malware.

Cybersecurity researchers Proofpoint recently said they observed customers in the country, “with a distinct interest in aviation and satellite communications organizations, along with critical transportation infrastructure,” being targeted.

The attacks started in late 2024, when a threat actor dubbed UNK_CraftyCamel compromised an Indian electronics company the aviation firms did business with in the past. They used that company’s email account to spread multiple polyglot files, and by using their partner’s email account, the attackers retained a sense of legitimacy, while trying to deploy malware in typical BEC fashion.

Unknown attackers

The infection chain they were looking for starts with polyglot files - these are files that can function as multiple formats simultaneously, allowing them to evade traditional detection mechanisms. While somewhat uncommon, polyglot files were observed in cyberattacks before, Proofpoint says, most notably in the Emmenthaler loader attacks.

Eventually, these files lead to the installation of a custom Go-based backdoor called Sosano, designed to maintain access and execute other malicious commands remotely. The attackers’ effort to conceal the attack didn’t stop with polyglot files, either. The backdoor’s size was bloated through unused Golang libraries, and its execution was delayed, to avoid detection in sandbox environments.

Proofpoint said Sosano connected to a remote server bokhoreshonline[.]com to receive commands and potentially download further payloads.

While the researchers do not directly link UNK_CraftyCamel to known groups, they note similarities with Iran-aligned threat actors TA451 and TA455, both associated with the Islamic Revolutionary Guard Corps (IRGC).

“Both groups historically focused on targeting aerospace aligned organizations. Furthermore,TA451 and UNK_CraftyCamel both used HTA files in highly targeted campaigns in the UAE; and TA455 and UNK_CraftyCamel share a preference for approaching targets with business-to-business sales offers, followed by targeting engineers within the same companies,” the researchers said. “Despite these similarities, Proofpoint assesses UNK_CraftyCamel to be a separate cluster of intrusion activity.”

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read more
Hook on Keyboard
Fake DocuSign and HubSpot phishing emails target 20,000 Microsoft Azure accounts
A digital representation of a lock
Security experts are being targeted with fake malware discoveries
A red padlock image against a digital map of the earth in blue.
Midnight Blizzard hacking group hijacks RDP proxies to launch malware attacks
An American flag flying outside the US Capitol building against a blue sky
US military and defense contractors hit with Infostealer malware
Shutterstock.com / kanlaya wanon
Microsoft Teams abused in Russian email bombing ransomware campaign
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
Microsoft Teams and other Windows tools hijacked to hack corporate networks
Latest in Security
Woman using iMessage on iPhone
Apple to take legal action against British Government over backdoor request
Red padlock open on electric circuits network dark red background
Aviaton firms hit by devious new polyglot malware
A laptop with a red screen with a white skull on it with the message: "RANSOMWARE. All your files are encrypted."
Major ransomware attack sees Tata Technologies hit - 1.4TB dataset with over 730,000 files allegedly stolen
Security
Broadcom releases fixes for multiple VMware security flaws
A graphic showing fleet tracking locations over a city.
Lost & Found tracking site hit by major data breach - over 800,000 could be affected
US President Donald Trump speaks to the press as he signs an executive order to create a US sovereign wealth fund, in the Oval Office of the White House on February 3, 2025, in Washington, DC.
US set to pause cyber-offensive operations against Russia - but CISA says it won't stop
Latest in News
An Nvidia GeForce RTX 5070
Nvidia confirms that an RTX 5070 Founders Edition is coming... just not on launch day
Microsoft UK CEO Darren Hardman AI Tour London 2025
Microsoft - UK can help drive the global AI future, but only with the proper buy-in
Asus Prime OC RTX 5070 graphics card with three fans, shown at an angle
Asus reveals Nvidia RTX 5070 launch pricing, and while one model is at MSRP – thankfully – the others make me want to give up my search for a next-gen GPU
OpenAI CEO Sam Altman attends the artificial intelligence Revolution Forum. New York, US - 13 Jan 2023
Sam Altman tweets delay to ChatGPT-4.5 launch while also proposing a shocking new payment structure
Philips Hue lights being dimmed
Got Philips Hue lights? A free app update delivers these 3 improvements
Woman using iMessage on iPhone
Apple to take legal action against British Government over backdoor request
More about security
Woman using iMessage on iPhone

Apple to take legal action against British Government over backdoor request
Security

Broadcom releases fixes for multiple VMware security flaws
NYT Strands homescreen on a mobile phone screen, on a light blue background

NYT Strands hints and answers for Thursday, March 6 (game #368)
See more latest
Most Popular
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Thursday, March 6 (game #368)
OpenAI CEO Sam Altman attends the artificial intelligence Revolution Forum. New York, US - 13 Jan 2023
Sam Altman tweets delay to ChatGPT-4.5 launch while also proposing a shocking new payment structure
Quordle on a smartphone held in a hand
Quordle hints and answers for Thursday, March 6 (game #1137)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Thursday, March 6 (game #634)
An Nvidia GeForce RTX 5070
Nvidia confirms that an RTX 5070 Founders Edition is coming... just not on launch day
An image of the Samsung Galaxy S25 Ultra from a hands-on event
Samsung's One UI 7 update is finally launching in April – these are the 5 new features I can't wait to try
Woman using iMessage on iPhone
Apple to take legal action against British Government over backdoor request
Internet outage
Microsoft launches new hyper-powered disaster recovery service for Cloud PCs
MacBook Air M4
Apple finally unveils the MacBook Air with the M4 chip – but the best news is the new price
65-inch Philips OLED Roku TV on a blue gradient background.
You can now get a Philips OLED TV with a Roku interface out of the box