In early August 2025, cybersecurity teams in Türkiye observed a new, highly evasive Java‐based loader that slipped past every public sandbox, antivirus solution, and even enterprise EDR/XDR platforms.
This threat—codenamed SoupDealer—surfaced as a phishing campaign distributing a three‐stage loader via files such as TEKLIFALINACAKURUNLER.jar.
Deployed through targeted spearphishing, the initial .jar file only unpacks its true payload after verifying the victim’s environment is running Windows in Turkish and located within Türkiye.
Once confirmed, it downloads Tor, schedules persistent tasks, and establishes a covert C2 channel over the Tor network.
Malwation researchers noted that this campaign leveraged custom class loaders to decrypt and load successive payloads entirely in memory, thwarting static and dynamic analysis engines.
After the first stage’s obfuscation layers are peeled away, a small Java class (Loader7) performs AES‐ECB decryption of an embedded resource named d6RuwzOkGZM12DXi.
.webp "SoupDealer Malware Bypasses Every Sandbox, AV's and EDR/XDR in Real-World Incidents 4")
The decryption key, hardcoded as a simple string, is expanded via SHA-512 and truncated to derive the AES key. Once decrypted, the stage2 payload emerges as stage2.jar, which itself contains a matryoshka‐style RC4‐encrypted “stub” resource.
Following the second stage, the decrypted stub class uses a custom findClass override to define classes directly from RC4‐decrypted byte arrays, effectively sidestepping on‐disk indicators.
.
In live incidents, SoupDealer bypassed host‐based antivirus checks by confirming no security products were active before proceeding. It then downloads and runs Tor if not already present, verifying connectivity via check.torproject.org over a localhost proxy.
.webp "SoupDealer Malware Bypasses Every Sandbox, AV's and EDR/XDR in Real-World Incidents 5")
Finally, it launches the Adwind backdoor module, establishing an onion‐routed C2 connection on predefined ports with encrypted authentication.
Persistence and Detection Evasion
SoupDealer’s persistence hinges on both Windows Task Scheduler and registry modifications masquerading under benign names.
Upon gaining administrative privileges, it creates a scheduled task with a randomized name, invoking the Java loader daily with a startup delay.
.webp "SoupDealer Malware Bypasses Every Sandbox, AV's and EDR/XDR in Real-World Incidents 6")
Simultaneously, it writes to HKCUSoftwareMicrosoftWindowsCurrentVersionRun using a REGEDIT‐formatted .reg script.
Python Decryption Script for d6RuwzOkGZM12DXi
import hashlib
from Crypto.Cipher import AES
KEY = "875758066416"
key = hashlib.sha512(KEY.encode("utf-8")).digest()[:16]
with open("d6RuwzOkGZM12DXi", "rb") as f:
ciphertext = f.read()
cipher = AES.new(key, AES.MODE_ECB)
plaintext = cipher.decrypt(ciphertext)
with open("stage2.jar", "wb") as f:
f.write(plaintext)To evade heuristic detection, each stage incorporates junk operations and string encryption, removing all nonessential code before execution.
The dynamic unpacking approach ensures that code visible in memory bears no resemblance to static signatures, rendering traditional AV engines and sandbox detectors blind.
By blending multi‐stage decryption, in‐memory class loading, and conditional execution checks, SoupDealer exemplifies next‐generation stealth malware that thrives in real‐world environments.
Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial
Source link
