In early August 2025, cybersecurity groups in Türkiye noticed a brand new, extremely evasive Java‐primarily based loader that slipped previous each public sandbox, antivirus answer, and even enterprise EDR/XDR platforms.
This risk—codenamed SoupDealer—surfaced as a phishing marketing campaign distributing a 3‐stage loader by way of information corresponding to TEKLIFALINACAKURUNLER.jar.
Deployed via focused spearphishing, the preliminary .jar file solely unpacks its true payload after verifying the sufferer’s surroundings is working Home windows in Turkish and situated inside Türkiye.
As soon as confirmed, it downloads Tor, schedules persistent duties, and establishes a covert C2 channel over the Tor community.
Malwation researchers famous that this marketing campaign leveraged customized class loaders to decrypt and cargo successive payloads totally in reminiscence, thwarting static and dynamic evaluation engines.
After the primary stage’s obfuscation layers are peeled away, a small Java class (Loader7) performs AES‐ECB decryption of an embedded useful resource named d6RuwzOkGZM12DXi.
11 lessons and a stage2 payload (Supply – Malwation)
The decryption key, hardcoded as a easy string, is expanded by way of SHA-512 and truncated to derive the AES key. As soon as decrypted, the stage2 payload emerges as stage2.jar, which itself accommodates a matryoshka‐fashion RC4‐encrypted “stub” useful resource.
Following the second stage, the decrypted stub class makes use of a customized findClass override to outline lessons immediately from RC4‐decrypted byte arrays, successfully sidestepping on‐disk indicators..In stay incidents, SoupDealer bypassed host‐primarily based antivirus checks by confirming no safety merchandise have been energetic earlier than continuing. It then downloads and runs Tor if not already current, verifying connectivity by way of test.torproject.org over a localhost proxy.
Customized ClassLoader (Supply – Malwation)
Lastly, it launches the Adwind backdoor module, establishing an onion‐routed C2 connection on predefined ports with encrypted authentication.
Persistence and Detection Evasion
SoupDealer’s persistence hinges on each Home windows Job Scheduler and registry modifications masquerading below benign names.
Upon gaining administrative privileges, it creates a scheduled activity with a randomized identify, invoking the Java loader every day with a startup delay.
Obfuscation operations (Supply – Malwation)
Concurrently, it writes to HKCUSoftwareMicrosoftWindowsCurrentVersionRun utilizing a REGEDIT‐formatted .reg script.
Python Decryption Script for d6RuwzOkGZM12DXi
import hashlib
from Crypto.Cipher import AES
KEY = “875758066416”
key = hashlib.sha512(KEY.encode(“utf-8”)).digest()[:16]
with open(“d6RuwzOkGZM12DXi”, “rb”) as f:
ciphertext = f.learn()
cipher = AES.new(key, AES.MODE_ECB)
plaintext = cipher.decrypt(ciphertext)
with open(“stage2.jar”, “wb”) as f:
f.write(plaintext)
To evade heuristic detection, every stage incorporates junk operations and string encryption, eradicating all nonessential code earlier than execution.
The dynamic unpacking strategy ensures that code seen in reminiscence bears no resemblance to static signatures, rendering conventional AV engines and sandbox detectors blind.
By mixing multi‐stage decryption, in‐reminiscence class loading, and conditional execution checks, SoupDealer exemplifies subsequent‐era stealth malware that thrives in actual‐world environments.
Equip your SOC with full entry to the most recent risk information from ANY.RUN TI Lookup that may Enhance incident response -> Get 14-day Free Trial
