Notably, the campaign demonstrates a sophisticated approach to evading detection by using trusted third-party access, polyglot files, and multiple layers of obfuscation. The attack sequence manipulated different file parsing behaviors across various applications, making it harder to detect through conventional security measures. The targeted nature of this campaign suggests that the threat actor behind it had a clear objective and advanced tradecraft, but there are no direct overlaps with any previously known cyber-espionage groups. However, Researchers assess with moderate confidence that the campaign may be linked to an Iranian-aligned actor, possibly affiliated with the Islamic Revolutionary Guard Corps (IRGC).

The attack's focus on critical infrastructure sectors, including aviation, satellite communications, and transportation, aligns with broader geopolitical intelligence-gathering objectives. The use of low-volume, highly targeted phishing combined with sophisticated obfuscation techniques underscores the level of effort put into remaining undetected while successfully compromising high-value targets. This campaign serves as a stark reminder of the evolving threat landscape and the need for organizations to strengthen their defenses against increasingly advanced state-sponsored cyber threats.

Impact

• Sensitive Data Theft
• Financial Loss
• Reputational Damage

Indicators of Compromise

Domain Name

• indicelectronics.net

• bokhoreshonline.com

MD5

• fbf3c44fdf1d635d1142ae0ec32fe887

• 19dabeca5fe5f5f35382f8e19c0d4403

• 35c29b31c3564e7d7cae9901299d41dd

• 6bd3be2a2d5d01ffa2c061ed63ac290f

SHA-256

• 336d9501129129b917b23c60b01b56608a444b0fbe1f2fdea5d5beb4070f1f14

• 394d76104dc34c9b453b5adaf06c58de8f648343659c0e0512dd6e88def04de3

• e692ff3b23bec757f967e3a612f8d26e45a87509a74f55de90833a0d04226626

• 0c2ba2d13d1c0f3995fc5f6c59962cee2eb41eb7bdbba4f6b45cba315fd56327

SHA1

• 304a9849894df9e6b3d381f2d24bcf2ef5b497fb

• f336903e65598cdc4908ee4ac0ff106c8c7fb027

• cf136da651dfb9104dcba68460ff57288b8c2ff9

• f5e1b8a9a9ebce41fe734b82a312046b3d7d44a4

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Implement email authentication protocols (DMARC, DKIM, SPF) to prevent email spoofing.
• Use AI-powered phishing detection tools to identify malicious emails before they reach employees.
• Conduct regular phishing awareness training for employees, emphasizing the risks of double-extension files (e.g., .xls.lnk) and trusted third-party compromise.
• Deploy Next-Generation Antivirus (NGAV) and Endpoint Detection & Response (EDR) to detect obfuscated threats.
• Block known malicious domains (e.g., indicelectronics[.]net) at the network level (firewall, DNS filtering).
• Monitor mshta.exe, cmd.exe, and PowerShell execution for suspicious activity.
• Configure email and web security gateways to scan for polyglot files and unusual file structures.
• Use sandboxing solutions to analyze attachments before delivery.
• Deploy behavioral analysis tools to detect XOR-based decryption mechanisms like the one used for Sosano backdoor.
• Verify and audit third-party vendors for cybersecurity best practices.
• Implement Zero Trust policies, ensuring that even trusted partners have limited access based on necessity.
• Require multi-factor authentication (MFA) for all vendor-related communications and accounts.
• Conduct regular threat hunting for indicators of compromise (IOCs) related to UNK_CraftyCamel and Sosano.
• Establish an incident response plan to quickly detect, contain, and eradicate infections.
• Share intelligence on Iranian APT tactics and new malware strains within cybersecurity communities.