SoupDealer Malware Successfully Evades All Sandboxes, Antivirus Solutions, and EDR/XDR Systems in Real-World Scenarios

In early August 2025, cybersecurity teams in Türkiye identified a sophisticated Java-based loader, codenamed SoupDealer, which successfully evaded detection by public sandboxes, antivirus solutions, and enterprise EDR/XDR platforms. This threat emerged through a phishing campaign that distributed a three-stage loader via files such as TEKLIFALINACAKURUNLER.jar. The initial .jar file only unpacks its true payload after confirming that the victim’s environment is running Windows in Turkish and is located within Türkiye. Once this verification is complete, SoupDealer downloads Tor, schedules persistent tasks, and establishes a covert command-and-control (C2) channel over the Tor network. Malwation researchers observed that the campaign utilised custom class loaders to decrypt and load subsequent payloads entirely in memory, effectively circumventing both static and dynamic analysis engines.

The first stage of SoupDealer employs a small Java class, Loader7, which performs AES-ECB decryption on an embedded resource named d6RuwzOkGZM12DXi. The decryption key, hardcoded as a simple string, is expanded using SHA-512 and truncated to derive the AES key. Once decrypted, the second stage payload appears as stage2.jar, which contains a matryoshka-style RC4-encrypted “stub” resource. Following this, the decrypted stub class uses a custom findClass override to define classes directly from RC4-decrypted byte arrays, effectively avoiding on-disk indicators. In live incidents, SoupDealer bypasses host-based antivirus checks by confirming the absence of active security products before proceeding. It then downloads and runs Tor, verifying connectivity via check.torproject.org over a localhost proxy. Finally, it launches the Adwind backdoor module, establishing an onion-routed C2 connection on predefined ports with encrypted authentication. SoupDealer’s persistence relies on Windows Task Scheduler and registry modifications disguised under benign names, creating a scheduled task with a random name to invoke the Java loader daily. 

Categories: Cybersecurity Threats, Malware Analysis, Evasion Techniques 

Tags: Java, Loader, SoupDealer, Phishing, Tor, C2 Channel, Decryption, Obfuscation, Persistence, Evasion