{ "type": "Domain", "indicator": "indicelectronics.net", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/indicelectronics.net", "alexa": "http://www.alexa.com/siteinfo/indicelectronics.net", "indicator": "indicelectronics.net", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4042877953, "indicator": "indicelectronics.net", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "67c7822980e68bfde4519815", "name": "Call It What You Want: Threat Actor Delivers Highly Targeted Multistage Polyglot Malware", "description": "A highly targeted email-based campaign was identified, focusing on aviation and satellite communications organizations in the United Arab Emirates. The campaign utilized a compromised entity to send customized malicious messages, leading to the discovery of a new backdoor named Sosano. This malware employed various obfuscation techniques, including polyglot files, indicating a sophisticated adversary. The infection chain involved multiple stages, using LNK files, HTA scripts, and XOR encoding. The Sosano backdoor, written in Golang, contains limited functionality but is heavily obfuscated. The threat actor, tracked as UNK_CraftyCamel, shows possible connections to Iranian-aligned adversaries but is considered a separate entity. This campaign highlights the use of trusted relationships to deliver customized, obfuscated malware to selective targets.", "modified": "2025-04-03T22:01:05.854000", "created": "2025-03-04T22:43:53.546000", "tags": [ "supply-chain", "backdoor", "satellite", "sosano", "targeted", "apt" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/call-it-what-you-want-threat-actor-delivers-highly-targeted-multistage-polyglot" ], "public": 1, "adversary": "UNK_CraftyCamel", "targeted_countries": [ "United Arab Emirates" ], "malware_families": [ { "id": "Sosano", "display_name": "Sosano", "target": null } ], "attack_ids": [ { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497.003", "name": "Time Based Evasion", "display_name": "T1497.003 - Time Based Evasion" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [ "Aerospace", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 5, "URL": 1, "domain": 2 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 387074, "modified_text": "425 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b8f03b3216aa326067f7a0", "name": "HANDALA-Iranian Nexus Actor", "description": "", "modified": "2026-04-18T12:01:34.910000", "created": "2026-03-17T06:10:03.844000", "tags": [ "filehashsha256", "filehashmd5", "filename", "filehashsha1" ], "references": [ "IOCs.2026.2.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 127, "FileHash-SHA1": 92, "FileHash-SHA256": 117, "URL": 19, "domain": 27, "hostname": 4 }, "indicator_count": 387, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "45 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68bff3e33540d09bd27e7c8c", "name": "EbeeSep2025 Pt2", "description": "", "modified": "2025-10-11T12:03:16.109000", "created": "2025-09-09T09:31:15.081000", "tags": [], "references": [ "Sep week2.pdf" ], "public": 1, "adversary": "Multiple", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 175, "FileHash-SHA1": 165, "FileHash-SHA256": 382, "domain": 75, "hostname": 17, "FilePath": 4, "URL": 17 }, "indicator_count": 835, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "234 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67caece5c35854681949b57a", "name": "Hackers Target Critical Infrastructure with Polyglot Malware", "description": "", "modified": "2025-04-06T12:01:17.269000", "created": "2025-03-07T12:56:05.588000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2 }, "indicator_count": 2, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "422 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c814e9729c846eaa4302a8", "name": "Call It What You Want: Threat Actor Delivers Highly Targeted Multistage Polyglot Malware | Proofpoint US", "description": "", "modified": "2025-04-04T09:00:54.179000", "created": "2025-03-05T09:10:01.128000", "tags": [ "proofpoint", "unkcraftycamel", "sosano", "url file", "sosano backdoor", "et malware", "united arab", "zip archive", "golang", "zip file", "python", "rats" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/call-it-what-you-want-threat-actor-delivers-highly-targeted-multistage-polyglot" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 5, "domain": 2 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "425 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c6f9510554b21b9598b0cb", "name": "Call It What You Want: Threat Actor Delivers Highly Targeted Multistage Polyglot Malware | Proofpoint US", "description": "Proofpoint researchers identified a highly targeted email-based campaign targeting fewer than five Proofpoint customers in the United Arab Emirates with a distinct interest in aviation and satellite communications organizations, along with critical transportation infrastructure.", "modified": "2025-04-03T12:01:08.958000", "created": "2025-03-04T13:00:01.004000", "tags": [ "proofpoint", "unkcraftycamel", "sosano", "url file", "sosano backdoor", "et malware", "united arab", "zip archive", "golang", "zip file", "python", "rats" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/call-it-what-you-want-threat-actor-delivers-highly-targeted-multistage-polyglot" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 5, "URL": 1, "domain": 2 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "425 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c806cc152d5c064c1aaaf1", "name": "Call It What You Want: Threat Actor Delivers Highly Targeted Multistage Polyglot Malware | Proofpoint US", "description": "", "modified": "2025-04-03T12:01:08.958000", "created": "2025-03-05T08:09:48.464000", "tags": [ "proofpoint", "unkcraftycamel", "sosano", "url file", "sosano backdoor", "et malware", "united arab", "zip archive", "golang", "zip file", "python", "rats" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/call-it-what-you-want-threat-actor-delivers-highly-targeted-multistage-polyglot" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "67c6f9510554b21b9598b0cb", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 5, "URL": 1, "domain": 2 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "425 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c8e3966b2e4ae6672c2141", "name": "New polyglot malware hits aviation, satellite communication firms", "description": "", "modified": "2025-03-05T23:51:50.207000", "created": "2025-03-05T23:51:50.207000", "tags": [ "proofpoint", "sosano", "zip archive", "pdf file", "united arab", "emirates", "october", "unkcraftycamel", "ta451", "ta455", "cactus" ], "references": [ "https://www.bleepingcomputer.com/news/security/new-polyglot-malware-hits-aviation-satellite-communication-firms/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "openctihunter", "id": "309746", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2 }, "indicator_count": 2, "is_author": false, "is_subscribing": null, "subscriber_count": 18, "modified_text": "454 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c7ce7f0e50dc573da12a57", "name": "Polyglot files used to spread new backdoor | CSO Online", "description": "Polyglot files are being used to conceal the installation of a new backdoor in a spear-phishing campaign targeting firms in the United Arab Emirates, according to researchers at security firm Proofpoint.", "modified": "2025-03-05T04:09:35.782000", "created": "2025-03-05T04:09:35.782000", "tags": [ "proofpoint", "cso executive", "cisos", "topics", "howard solomon", "us advertise", "contact us", "foundry careers", "policies", "service privacy", "back", "polyglot", "malware", "close", "rats", "sosano" ], "references": [ "https://www.csoonline.com/article/3837964/polyglot-files-used-to-spread-new-backdoor.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Sosano", "display_name": "Sosano", "target": null } ], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Malcode911", "id": "49380", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_49380/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1 }, "indicator_count": 1, "is_author": false, "is_subscribing": null, "subscriber_count": 54, "modified_text": "455 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "IOCs.2026.2.csv", "https://www.proofpoint.com/us/blog/threat-insight/call-it-what-you-want-threat-actor-delivers-highly-targeted-multistage-polyglot", "https://www.bleepingcomputer.com/news/security/new-polyglot-malware-hits-aviation-satellite-communication-firms/", "Sep week2.pdf", "https://www.csoonline.com/article/3837964/polyglot-files-used-to-spread-new-backdoor.html" ], "related": { "alienvault": { "adversary": [ "UNK_CraftyCamel" ], "malware_families": [ "Sosano" ], "industries": [ "Aerospace", "Transportation" ] }, "other": { "adversary": [ "Multiple" ], "malware_families": [ "Sosano" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 9, "pulses": [ { "id": "67c7822980e68bfde4519815", "name": "Call It What You Want: Threat Actor Delivers Highly Targeted Multistage Polyglot Malware", "description": "A highly targeted email-based campaign was identified, focusing on aviation and satellite communications organizations in the United Arab Emirates. The campaign utilized a compromised entity to send customized malicious messages, leading to the discovery of a new backdoor named Sosano. This malware employed various obfuscation techniques, including polyglot files, indicating a sophisticated adversary. The infection chain involved multiple stages, using LNK files, HTA scripts, and XOR encoding. The Sosano backdoor, written in Golang, contains limited functionality but is heavily obfuscated. The threat actor, tracked as UNK_CraftyCamel, shows possible connections to Iranian-aligned adversaries but is considered a separate entity. This campaign highlights the use of trusted relationships to deliver customized, obfuscated malware to selective targets.", "modified": "2025-04-03T22:01:05.854000", "created": "2025-03-04T22:43:53.546000", "tags": [ "supply-chain", "backdoor", "satellite", "sosano", "targeted", "apt" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/call-it-what-you-want-threat-actor-delivers-highly-targeted-multistage-polyglot" ], "public": 1, "adversary": "UNK_CraftyCamel", "targeted_countries": [ "United Arab Emirates" ], "malware_families": [ { "id": "Sosano", "display_name": "Sosano", "target": null } ], "attack_ids": [ { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497.003", "name": "Time Based Evasion", "display_name": "T1497.003 - Time Based Evasion" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [ "Aerospace", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 5, "URL": 1, "domain": 2 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 387074, "modified_text": "425 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b8f03b3216aa326067f7a0", "name": "HANDALA-Iranian Nexus Actor", "description": "", "modified": "2026-04-18T12:01:34.910000", "created": "2026-03-17T06:10:03.844000", "tags": [ "filehashsha256", "filehashmd5", "filename", "filehashsha1" ], "references": [ "IOCs.2026.2.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 127, "FileHash-SHA1": 92, "FileHash-SHA256": 117, "URL": 19, "domain": 27, "hostname": 4 }, "indicator_count": 387, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "45 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68bff3e33540d09bd27e7c8c", "name": "EbeeSep2025 Pt2", "description": "", "modified": "2025-10-11T12:03:16.109000", "created": "2025-09-09T09:31:15.081000", "tags": [], "references": [ "Sep week2.pdf" ], "public": 1, "adversary": "Multiple", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 175, "FileHash-SHA1": 165, "FileHash-SHA256": 382, "domain": 75, "hostname": 17, "FilePath": 4, "URL": 17 }, "indicator_count": 835, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "234 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67caece5c35854681949b57a", "name": "Hackers Target Critical Infrastructure with Polyglot Malware", "description": "", "modified": "2025-04-06T12:01:17.269000", "created": "2025-03-07T12:56:05.588000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2 }, "indicator_count": 2, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "422 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c814e9729c846eaa4302a8", "name": "Call It What You Want: Threat Actor Delivers Highly Targeted Multistage Polyglot Malware | Proofpoint US", "description": "", "modified": "2025-04-04T09:00:54.179000", "created": "2025-03-05T09:10:01.128000", "tags": [ "proofpoint", "unkcraftycamel", "sosano", "url file", "sosano backdoor", "et malware", "united arab", "zip archive", "golang", "zip file", "python", "rats" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/call-it-what-you-want-threat-actor-delivers-highly-targeted-multistage-polyglot" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 5, "domain": 2 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "425 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c6f9510554b21b9598b0cb", "name": "Call It What You Want: Threat Actor Delivers Highly Targeted Multistage Polyglot Malware | Proofpoint US", "description": "Proofpoint researchers identified a highly targeted email-based campaign targeting fewer than five Proofpoint customers in the United Arab Emirates with a distinct interest in aviation and satellite communications organizations, along with critical transportation infrastructure.", "modified": "2025-04-03T12:01:08.958000", "created": "2025-03-04T13:00:01.004000", "tags": [ "proofpoint", "unkcraftycamel", "sosano", "url file", "sosano backdoor", "et malware", "united arab", "zip archive", "golang", "zip file", "python", "rats" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/call-it-what-you-want-threat-actor-delivers-highly-targeted-multistage-polyglot" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 5, "URL": 1, "domain": 2 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "425 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c806cc152d5c064c1aaaf1", "name": "Call It What You Want: Threat Actor Delivers Highly Targeted Multistage Polyglot Malware | Proofpoint US", "description": "", "modified": "2025-04-03T12:01:08.958000", "created": "2025-03-05T08:09:48.464000", "tags": [ "proofpoint", "unkcraftycamel", "sosano", "url file", "sosano backdoor", "et malware", "united arab", "zip archive", "golang", "zip file", "python", "rats" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/call-it-what-you-want-threat-actor-delivers-highly-targeted-multistage-polyglot" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "67c6f9510554b21b9598b0cb", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 5, "URL": 1, "domain": 2 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "425 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c8e3966b2e4ae6672c2141", "name": "New polyglot malware hits aviation, satellite communication firms", "description": "", "modified": "2025-03-05T23:51:50.207000", "created": "2025-03-05T23:51:50.207000", "tags": [ "proofpoint", "sosano", "zip archive", "pdf file", "united arab", "emirates", "october", "unkcraftycamel", "ta451", "ta455", "cactus" ], "references": [ "https://www.bleepingcomputer.com/news/security/new-polyglot-malware-hits-aviation-satellite-communication-firms/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "openctihunter", "id": "309746", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2 }, "indicator_count": 2, "is_author": false, "is_subscribing": null, "subscriber_count": 18, "modified_text": "454 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c7ce7f0e50dc573da12a57", "name": "Polyglot files used to spread new backdoor | CSO Online", "description": "Polyglot files are being used to conceal the installation of a new backdoor in a spear-phishing campaign targeting firms in the United Arab Emirates, according to researchers at security firm Proofpoint.", "modified": "2025-03-05T04:09:35.782000", "created": "2025-03-05T04:09:35.782000", "tags": [ "proofpoint", "cso executive", "cisos", "topics", "howard solomon", "us advertise", "contact us", "foundry careers", "policies", "service privacy", "back", "polyglot", "malware", "close", "rats", "sosano" ], "references": [ "https://www.csoonline.com/article/3837964/polyglot-files-used-to-spread-new-backdoor.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Sosano", "display_name": "Sosano", "target": null } ], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Malcode911", "id": "49380", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_49380/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1 }, "indicator_count": 1, "is_author": false, "is_subscribing": null, "subscriber_count": 54, "modified_text": "455 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "indicelectronics.net", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "indicelectronics.net", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780485715.9165998 }