A new, highly-targeted phishing campaign aimed at the United Arab Emirates (UAE) aviation sector has been linked to Iranian-aligned hackers. The attackers used a compromised email account from Indian electronics company INDIC Electronics to send phishing emails containing a sophisticated Golang backdoor, Sosano.
The emails, which were tailored to each target, contained malicious ZIP files that included a mix of polyglot files, such as a Windows shortcut disguised as an Excel document and two PDF files. One of these PDFs triggered the execution of a custom backdoor upon parsing.
The malicious backdoor, written in Golang, allows attackers to control compromised systems, execute commands, enumerate directories, and download further payloads. This attack specifically targeted fewer than five organizations, including those in aviation and satellite communications, sectors critical to the UAE’s national security.
The campaign, tracked by Proofpoint under the moniker “UNK_CraftyCamel,” suggests a sophisticated level of obfuscation and the use of a trusted third-party compromise to evade detection. The analysis points to Iranian state-sponsored actors, possibly linked to the Islamic Revolutionary Guard Corps (IRGC), highlighting the geopolitical motivations behind the attack.
