'Crafty Camel' APT Targets Aviation, OT With Polygot Files - Dark Reading

ICS/OT SECURITY CYBERATTACKS & DATA BREACHES THREAT INTELLIGENCE CYBER RISK NEWS Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific 'Crafty Camel' APT Targets Aviation, OT With Polygot Files The Iran-linked nation-state group made its debut with a stealthy, sophisticated, and laser-focused cyber-espionage attack on targets in UAE. Nate Nelson,Contributing Writer March 5, 2025 4 Min Read SOURCE: DPK-PHOTO VIA ALAMY STOCK PHOTO A sophisticated advanced persistent threat (APT) that's likely aligned with Iran has been deploying a convincing business email compromise (BEC) attack to deliver two-faced polyglot files, which quietly dropped a simple but diligently concealed backdoor. The goal? Cyber espionage against a handful of significant operational technology (OT) companies in the United Arab Emirates (UAE). The activity, laser-focused on certain aviation and critical infrastructure targets, is characterized by its emphasis on stealth, according to Proofpoint, which discovered fewer than five organizations on the butt end of this attack chain within its own telemetry. However, Proofpoint APT staff researcher Joshua Miller qualifies that there are likely more targets and victims. "I would assume there are some organizations that were targeted which were not protected [and therefore not visible] by Proofpoint," he says. Schrodinger's Files (A Polyglot Cyberattack) The campaign began late last October, when the threat cluster Proofpoint named "Crafty Camel" weaponized unauthorized access to a business email account belonging to INDIC Electronics, a southern Indian electronics manufacturer. Using it, Crafty Camel was able to send real corporate emails containing URLs mimicking INDIC's real domain. That first link redirected to a second, more specific domain, which triggered the download of a .ZIP archive — which in turn presented victims with an Excel file, and two PDFs. "The average user would open up their phone and think: 'OK, it's two PDFs and a spreadsheet. That makes sense when you're talking about business-to-business transactions," Miller says. Except, none of these files were as they appeared to be. The Excel file used a double extension, taking advantage of Windows' penchant to hide known file types. The fake Excel spreadsheet was, in reality, a Windows shortcut (.LNK) responsible for opening the first PDF file. That PDF then extracted an executable and a URL file from the second PDF, which concealed malware inside. If that doesn't sound like normal PDF behavior, it's because each of these files lived double lives. The first doubled as an HTML Application (HTA) file, and the second contained an attached .ZIP archive. In other words, they were polyglots: files carefully programmed to function as two different file types at once. "It's not trivial to do. You have to design it in a way that allows for different types of file readers to open the same file. If you open it up in a PDF reader, it needs to open up as a PDF. If you open it as an executable, it needs to be able to execute," Miller explains. He adds, "We don't see a lot of this from APTs, but when we talk to our e-crime analysts, they do see this a decent amount." At the end of the infection chain lay "Sosano," a newly documented Golang backdoor. Sosano is light on features — it's able to read and delete directories, execute shell commands, and download further payloads — but unique in one respect. Backdoors are often designed to be lightweight, so as to not attract attention, but Sosano is the opposite: a relatively large 12MB executable, containing many libraries it doesn't even use. Researchers speculate that its developers intentionally stuffed it full of garbage to complicate analysis. Iranian Espionage Against UAE Industry Targets Proofpoint tracks Crafty Camel as its own threat cluster. Still, it identified multiple tactics, techniques, and procedures (TTPs) that the group shares with other groups, including TA451 (aka APT33, Elfin, or Peach Sandstorm) and TA455. Both TA451 and TA455 have been tied to Iran's Islamic Revolutionary Guard Corps (IRGC). Any connection with the IRGC might also help explain the character of the attacks: sophisticated, stealth-forward, espionage-focused, and highly focused on just a few organizations in industries of potential interest to a nation state. Without disclosing specifics, Proofpoint explained that Crafty Camel went after organizations involved in satellite communications, aviation, and "critical transportation infrastructure" in the UAE. "Iran leverages cyber in a way that makes sense for their sphere of influence. They want to use cyber as a geopolitical tool. So it's not a surprise if they use somewhat deniable cyberattacks to pursue this kind of intelligence," Miller says. He acknowledges that "we don't have enough to say that this is definitely Iran, [but] it does make sense when you consider that they have a lot of interest in the sort of technology that could be targeted here." Read more about: DR Global Middle East & Africa About the Author Nate Nelson Contributing Writer Nate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost. More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like ICS/OT SECURITY AI in OT Sparks Cascade of Complex Challenges by Arielle Waldman DEC 11, 2025 ICS/OT SECURITY CISO Conversations: How IT and OT Security Worlds Are Converging by Kelly Jackson Higgins JUL 22, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 ICS/OT SECURITY If Boards Don't Fix OT Security, Regulators Will by Warren O’Driscoll APR 18, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ APPLICATION SECURITY Microsoft Patches 83 CVEs in March Update byJai Vijayan MAR 11, 2026 4 MIN READ THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity 5 Steps to Stop Ransomware With Zero Trust Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE