New polyglot malware hits aviation, satellite communication firms www.bleepingcomputer.com/news/secu…

A previously undocumented polyglot malware is being deployed in attacks against aviation, satellite communication, and critical transportation organizations in the United Arab Emirates.

The malware delivers a backdoor called Sosano, which establishes persistence on the infected devices and allows the attackers to execute commands remotely.

The activity was discovered by Proofpoint in October 2024, which states that the attacks are linked to a threat actor named ‘UNK_CraftyCamel.’ While the campaign is still small, the researchers report that it is still advanced and dangerous to targeted companies.

Proofpoint’s researchers noted that the attacks bear similarities with operations from Iranian-aligned groups TA451 and TA455. However, the latest campaign is distinct, having a strong cyber-espionage focus.

Polyglot threat Polyglot malware consists of specially crafted files that contain multiple file formats, allowing them to be interpreted differently by various applications.

For example, a single file could be structured as both a valid MSI (Windows installer) and a JAR (Java archive), causing Windows to recognize it as an MSI while the Java runtime interprets it as a JAR.

This technique enables attackers to stealthily deliver malicious payloads by evading security software, which typically analyzes files based on a single format.