Threat hunters have identified a highly-targeted phishing campaign attributed to the group UNK_CraftyCamel, which focused on fewer than five entities in the UAE, particularly within aviation and satellite communications. This attack began in late October 2024, involving a compromised email from INDIC Electronics to send tailored phishing messages. The payload was designed to install a Go-based backdoor named Sosano, using sophisticated techniques, including polyglots and advanced file extensions to deceive recipients into executing malicious software.
UNK_CraftyCamel leveraged a compromised Indian electronics company to target fewer than five organizations in the United Arab Emirates with a malicious ZIP file that leveraged multiple polyglot files to eventually install a custom Go backdoor dubbed Sosano.
The emails contained URLs that pointed to a bogus domain masquerading as the Indian company ('indicelectronics[.]net'), hosting a ZIP archive that included an XLS file and two PDF files.
Collection
[
|
...
]