A recent report reveals that Iranian-aligned hackers, identified as UNK_CraftyCamel, are leveraging polyglot files to breach UAE-based organisations as part of an ongoing cyber-espionage campaign.

In October 2024, the adversary compromised the email account of an Indian electronics company “ INDIC Electronics” to send malicious messages. The malicious email contains a URL “https://indicelectronics[.]net/or/1/OrderList.zip” which downloaded the ZIP file, with an XLS file and two PDF files. The emails included a ZIP archive with a disguised LNK file and two polyglot PDFs.

Attack Methodology

The LNK file executed commands to parse and run the malicious content within the polyglot PDFs, leading to the deployment of a new backdoor malware named Sosano. The Sosono is written in Golang, with limited functions, such as directory navigation, file manipulation, and executing shell commands.

It initiates by sleeping for some time before operating contacting its C2 for further instructions to evade automated analysis and EDR.

After the sleep routine is over, the malware Sosona connects to it C2 bokhoreshonline[.]com. Upon successful connection, the malware waits for commands from the threat actor by sending an HTTP GET request.

 Sosana uses the following commands 

  • sosano: Retrieve the current directory or change the working directory.
  • yangom: Lists the contents of the current directory.
  • monday: Downloads and loads additional payloads.
  • raian: Deletes or removes a directory.
  • lunna: Executes shell command.

Beef Between Iran and UAE

The Recent Iranian cyberattack on UAE firms is part of the border cyberwar between the two nations, rooted in regional power struggles and economic competition. Iran has repeatedly targeted companies in the Middle East across critical sectors, including the famous Aramco cyberattack which disrupted the oil market. 

Since 2010, an underground cyberwar has been unfolding between the UAE and Iran, largely driven by Project Raven—a covert Emirati cyber-espionage program. This ongoing digital conflict has seen both nations engage in offensive cyber operations, targeting each other’s infrastructure, intelligence networks, and critical industries.

Attribution to Iran 

  • UNK_CraftyCamel does not overlap with any existing groups tracked by the researcher.
  • Infrastructure analysis indicates ties to Iran-aligned adversaries, particularly IRGC-backed TA451 and TA455.
  • While similar to past IRGC campaigns, UNK_CraftyCamel is assessed as a distinct intrusion cluster.

 The Bottom Line

 As geopolitical tensions increase, companies are increasingly caught in the crossfire. With UAE and Iran deeply involved in proxy conflicts across Yemen, Syria, and Lebanon, cyber warfare between the two nations is expected to intensify, posing greater risks to businesses and critical infrastructure in the MENA region.

Follow us on X and Linkedin for the latest cybersecurity news.

Source: hxxps[://]www[.]proofpoint[.]com/us/blog/threat-insight/call-it-what-you-want-threat-actor-delivers-highly-targeted-multistage-polyglot