Summary: A new highly-targeted phishing campaign, named UNK_CraftyCamel, has emerged, targeting fewer than five organizations in the U.A.E. with a sophisticated Golang backdoor called Sosano. This attack utilized a compromised email from an Indian electronics company, employing polymorphic files and multiple obfuscation techniques to deliver its payload successfully. The threat is suspected to be linked to Iranian state-aligned actors, aiming at critical sectors such as aviation and satellite communications.
Affected: Aviation and satellite communications organizations in the U.A.E.
Keypoints :
- The campaign leverages a compromised email from INDIC Electronics to distribute phishing messages containing malicious files.
- One of the key features of the attack includes an LNK file masquerading as an XLS document, which triggers the execution of malicious scripts.
- Sosano is a limited-functionality backdoor written in Golang that communicates with a command-and-control server for instructions.
- The targeting of aviation and satellite communications emphasizes the geopolitical motivations behind the campaign, hinting at state-aligned involvement.
Source: https://thehackernews.com/2025/03/suspected-iranian-hackers-used.html