Emergence of SoupDealer Malware in Türkiye: An Overview
In early August 2025, cybersecurity specialists in Türkiye detected a novel, highly evasive Java-based malware dubbed SoupDealer, which successfully evaded detection by all public sandboxes, antivirus solutions, and even sophisticated enterprise EDR/XDR systems.
This threat initially manifested through a phishing campaign, disseminating a three-stage loader packaged within files such as TEKLIFALINACAKURUNLER.jar.
Executed via meticulously crafted spear-phishing tactics, the initial .jar file only reveals its malicious payload after ascertaining that the victim’s system operates on a Turkish Windows environment and is physically located within Türkiye.
Upon confirmation of these conditions, the malware initiates a download of Tor, schedules persistent tasks, and orchestrates a covert command-and-control (C2) channel over the Tor network.
Researchers at Malwation elucidated that this campaign employed custom class loaders to decrypt and in-memory load subsequent payloads, thereby thwarting both static and dynamic analysis mechanisms.
As layers of obfuscation are stripped away, a diminutive Java class, identified as Loader7, executes AES-ECB decryption on an embedded resource named d6RuwzOkGZM12DXi.
The decryption key is hardcoded as a simple string, which is subsequently expanded via SHA-512 and truncated to generate the AES key. Upon decryption, the stage 2 payload is revealed as stage2.jar, containing a matryoshka-style RC4-encrypted “stub” resource.
Following the second stage, the decrypting stub class employs a custom findClass override, defining classes directly from RC4-decrypted byte arrays, effectively circumventing on-disk indicators. In real-world scenarios, SoupDealer adeptly bypassed host-based antivirus checks by confirming the absence of active security products before advancing.
It then downloads and executes Tor if not already installed, checking connectivity check.torproject.org via a localhost proxy.
Ultimately, the malware triggers the Adwind backdoor module, establishing an onion-routed C2 connection on preordained ports while utilizing encrypted authentication.
Persistence and Evasion Techniques
SoupDealer’s persistence strategy relies on modifications to Windows Task Scheduler and the registry, camouflaged under innocuous names.
Upon attaining administrative privileges, it generates a scheduled task with a random title, triggering the Java loader daily and introducing a startup delay.
Concurrently, it writes to HKCU\Software\Microsoft\Windows\CurrentVersion\Run through a REGEDIT-formatted .reg script.
Python Decryption Script for d6RuwzOkGZM12DXi
import hashlib
from Crypto.Cipher import AES
KEY = "875758066416"
key = hashlib.sha512(KEY.encode("utf-8")).digest()[:16]
with open("d6RuwzOkGZM12DXi", "rb") as f:
ciphertext = f.read()
cipher = AES.new(key, AES.MODE_ECB)
plaintext = cipher.decrypt(ciphertext)
with open("stage2.jar", "wb") as f:
f.write(plaintext)To obfuscate detection by heuristics, each stage integrates extraneous operations and string encryption, discarding superfluous code prior to execution.
The dynamic unpacking methodology guarantees that the memory-visible code bears no resemblance to static signatures, thus rendering conventional antivirus engines and sandbox detectors ineffective.
By amalgamating multi-stage decryption, in-memory class loading, and conditional execution checks, SoupDealer exemplifies next-generation stealth malware adept at thriving within real-world conditions.
Source link: Cybersecuritynews.com.
