Dubai, March 5, 2025 – A recent report from Proofpoint reveals that a threat actor is employing polyglot files to install a new backdoor, named Sosano, in a spear-phishing campaign aimed at critical infrastructure firms in the United Arab Emirates (UAE), particularly within the aviation, satellite communications, and transportation sectors.
The discovery was made in collaboration with PwC’s Threat Intelligence team, highlighting a significant cybersecurity threat that could extend beyond the UAE.
The campaign’s tactics involve compromising the email account of an Indian electronics company, which was then used to send malicious emails containing links to ZIP files with polyglot files designed to obfuscate the payload content. This method of attack, while currently localized, warrants caution from Chief Information Security Officers (CISOs) globally, as similar tactics may emerge in other regions.
Proofpoint’s analysis indicates that the use of polyglot files—a relatively uncommon method for espionage-motivated actors—demonstrates a high level of sophistication. These files are structured to be interpreted differently by various parsers, thus complicating detection efforts. The report emphasizes that the attackers’ approach reflects both creativity and a strategic focus on their targets.
Security experts have pointed out that the campaign showcases the ongoing cat-and-mouse game between attackers and defenders. David Shipley, CEO of Beauceron Security, noted the necessity for both technological controls and a strong security culture within organizations to identify and mitigate threats effectively.
In late October 2024, the attackers exploited a trusted relationship with their targets by sending emails that appeared legitimate, complete with business lures and seemingly authentic attachments. However, these attachments included deceptive file formats that ultimately led to the execution of the Sosano backdoor, which is a DLL written in Golang.
Once executed, the Sosano malware employs a sleep routine to avoid detection and subsequently connects to a command-and-control server for further instructions. The report outlines several opportunities for detection of this malware, emphasizing the importance of safeguarding corporate domains from spoofing.
The findings from Proofpoint underscore the evolving nature of cyber threats and the need for heightened vigilance among organizations, particularly those in critical sectors.
