A highly targeted email-based campaign was identified, focusing on aviation and satellite communications organizations in the United Arab Emirates. The campaign utilized a compromised entity to send customized malicious messages, leading to the discovery of a new backdoor named Sosano. This malware employed various obfuscation techniques, including polyglot files, indicating a sophisticated adversary. The infection chain involved multiple stages, using LNK files, HTA scripts, and XOR encoding. The Sosano backdoor, written in Golang, contains limited functionality but is heavily obfuscated. The threat actor, tracked as UNK_CraftyCamel, shows possible connections to Iranian-aligned adversaries but is considered a separate entity. This campaign highlights the use of trusted relationships to deliver customized, obfuscated malware to selective targets.