Proofpoint warns of a highly targeted campaign targeting several United Arab Emirates organizations across multiple sectors with a new backdoor.

The attacks, attributed to an Iranian threat actor tracked as UNK_CraftyCamel, employed polyglot files to hide the malicious payload, a technique relatively uncommon in espionage attacks.

The threat actor, Proofpoint says, compromised an Indian electronics company’s email account in October 2024 and then used it to send malicious email messages to UAE organizations in the aviation and satellite communications, and critical transportation infrastructure sectors.

The messages contained a malicious URL to download a ZIP archive that appeared to contain an XLS file, which was in fact an LNK file using a double extension, and two PDF files that were polyglots: one was appended with an HTA file and the other with a ZIP archive.

Created by carefully structuring data and aligning headers and footers, polyglot files can be interpreted as different formats, depending on how they are read.

As part of the attack, the LNK file was used to launch commands needed to parse the PDF/HTA polyglot file and execute the relevant content from it. The HTA script is used to build an executable and a URL from the second PDF and writes the URL to the registry for persistence.

The process ends with the execution of a backdoor dubbed Sosano, which is written in Golang and contains limited functionality. The backdoor first sleeps for a random amount of time, then attempts to contact its command-and-control (C&C) server to receive commands.

Based on the received commands, the malware can get the current directory and change the working one, list the content of the directory, download and load additional content, delete a directory, and execute shell commands.