Call It What You Want: Threat Actor Delivers Highly Targeted Multistage Polyglot Malware

    Friday, March 7, 2025 In: Threat Research Print

    Date: 03/07/2025

    Severity: High

    Summary

    In fall 2024, UNK_CraftyCamel exploited a compromised Indian electronics company to target fewer than five organizations in the United Arab Emirates. The attack involved a malicious ZIP file containing multiple polyglot files, ultimately delivering a custom Go backdoor named Sosano.

    Indicators of Compromise (IOC) List 

    Domains\URLs :

    indicelectronics.net

    bokhoreshonline.com 

    IP Address :

    104.238.57.61 

    46.30.190.96 

    Hash : 

    76b1237d26b94eb75ed600ba51d4b2414a8da48a30d06973921bcd0ee9fac761

4d084a7e0c656d038d3176e97a4f807d094ce78f6b1f92a6ada7b93cf6a7cf03

78f69097a5ba8480e39d735732d22319d7f4d05002940d99b326970353c8a545

713120bac7807f6fc0a6050135556c0614a66be2fb476cfe163877f3d03b4d08

16d2f6194d1b1989fbef4572055dbf62a0d6a2570b316ac15722192f1c559a50

95c101a0164af189cc282eb2d67e143b42e6d57d7ef396d59715a355a3162b96

6c36d61ad03e33dc3bc5d26e336855c4ab147541ccb989a35d3ed470fd1d521f

9e24c7b4604aa3022325b62154ac80dc76533fa96a3418d8e15d28c998fb9c53

11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

644c9745d1d2f679db73fcb717dd37e180e19d5b0fc74575e4cefe4f543f2768

1cf2bdb1cdd34bb50d60f21b8208041913747b8deca5f26aa187d2e8c0e9a105

270b8685104389b8341dc7c68fb362579170b82bffe89cc964cb27c10e496f08

644c9745d1d2f679db73fcb717dd37e180e19d5b0fc74575e4cefe4f543f2768

2b8be1bbaf17a69326f65096a31054a1198e66a83e31c37d1eee1c2580d6c7fa

837dc4e83fcefc8334384c88d672eb2dee31bceb64657ca7bb4322536a810192

57d0b8a89b216aadb6525bccfdb67917d52e239856ae9011721e84746b99571e

f98a335a128a062323476454ae7c5490c5a134461ab49ee05afa81b4714d033c

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\URLs :

    userdomainname like "bokhoreshonline.com" or url like "bokhoreshonline.com" or userdomainname like "indicelectronics.net" or url like "indicelectronics.net"

    IP Address :

    dstipaddress IN ("104.238.57.61","46.30.190.96") or ipaddress IN ("104.238.57.61","46.30.190.96") or publicipaddress IN ("104.238.57.61","46.30.190.96") or srcipaddress IN ("104.238.57.61","46.30.190.96")

    Hash : 

    sha256hash IN ("336d9501129129b917b23c60b01b56608a444b0fbe1f2fdea5d5beb4070f1f14","394d76104dc34c9b453b5adaf06c58de8f648343659c0e0512dd6e88def04de3","0c2ba2d13d1c0f3995fc5f6c59962cee2eb41eb7bdbba4f6b45cba315fd56327","e692ff3b23bec757f967e3a612f8d26e45a87509a74f55de90833a0d04226626")

    Reference:    

    https://www.proofpoint.com/us/blog/threat-insight/call-it-what-you-want-threat-actor-delivers-highly-targeted-multistage-polyglot


    Tags

    MalwareBackdoorUAEPolyglot

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.