Key findings

• Proofpoint researchers identified a highly targeted email-based campaign targeting fewer than five Proofpoint customers in the United Arab Emirates with a distinct interest in aviation and satellite communications organizations, along with critical transportation infrastructure.
• The malicious messages were sent from a compromised entity in a trusted business relationship with the targets, and used lures customized to every target.
• This campaign led to the newly discovered backdoor dubbed Sosano by Proofpoint, which leveraged numerous techniques to obfuscate the malware and its payload, likely indicating an adversary with significant development capabilities with an interest in protecting their payloads from easy analysis.
• The campaign used polyglot files to obfuscate payload content, a technique that is relatively uncommon for espionage-motivated actors in Proofpoint telemetry and speaks to the desire of the operator to remain undetected.
• Proofpoint tracks this new threat cluster as UNK_CraftyCamel.