A newly identified cyber-espionage campaign is targeting organizations in the United Arab Emirates (UAE), with researchers attributing it to a previously unclassified threat actor, UNK_CraftyCamel. The attackers are using Sosano, a newly discovered backdoor, to infiltrate critical sectors, including aviation, satellite communications, and transportation infrastructure. The campaign, active since late 2024, uses spear-phishing tactics to lure victims into downloading malware disguised as legitimate business files.
Security researchers believe the tactics and targeting methods strongly resemble Iranian-aligned operations, particularly those linked to the Islamic Revolutionary Guard Corps (IRGC). While Sosano’s capabilities remain under analysis, it has already been observed providing attackers with persistent access, allowing them to execute arbitrary commands and deploy additional malware payloads.
Expert Analysis
This attack is a textbook example of how cyber warfare is evolving beyond traditional espionage and moving toward sustained infiltration of critical infrastructure. The use of a relatively unknown malware strain suggests that these hackers are refining their techniques to evade detection while ensuring long-term access to compromised environments.
The choice of targets—aviation, satellite communications, and transportation—is highly strategic. These are not random attacks; they are deliberate efforts to gain leverage over national security assets. By establishing persistence within these networks, the attackers are positioning themselves to disrupt operations or exfiltrate highly sensitive data over time.
Read the full article here.
