SoupDealer Trojan

SoupDealer is a sophisticated, Java-based malware loader that operates in three distinct stages. Designed to bypass traditional antivirus and sandbox solutions, it primarily targets Windows systems in Turkey but can be configured to strike elsewhere. Once established, it grants attackers remote access to compromised machines, making it a dangerous tool for cybercriminals.

Multi-Stage Infection Process

The infection begins with a Java file deliberately scrambled with junk code to hinder security tools from decompiling it. Hidden within is encrypted code that, once executed, triggers the next stage of the loader. Each subsequent stage is also encrypted and decrypted only when executed in memory.

By the third stage, the full SoupDealer payload is active. Before running, it checks for key conditions: the system must be Windows-based, have sufficient resources, reside in Turkey (or another targeted region), and lack robust antivirus protection. If these criteria are met, the malware ensures persistence by adding scheduled tasks and installing TOR, which it uses to communicate with its hidden control servers.

Remote Control and Capabilities

Once connected to its command-and-control infrastructure, SoupDealer activates Adwind, providing it with a server address, credentials, and ports for communication. From this point forward, the attackers have full remote access to the victim's computer.

The range of actions SoupDealer can execute is broad: attackers can display pop-ups or images on the victim's screen, capture screenshots, open websites, initiate DDoS attacks, manage files (browse, upload, download), execute arbitrary commands, or manipulate system functions such as restarting, shutting down, or uninstalling the malware itself.

Additionally, SoupDealer can spread laterally within local networks by copying itself to shared folders, disabling Windows Defender by adding exclusions, escalating privileges by rerunning with admin rights, and downloading and executing new malicious JAR files. This versatility makes it particularly resilient and dangerous.

Methods of Propagation

SoupDealer is commonly distributed through phishing emails carrying malicious attachments, such as files disguised under names like 'TEKLIFALINACAKURUNLER.jar'. Opening such a file initiates the infection chain.

Beyond phishing, the malware can spread through pirated software, fraudulent tech support scams, and exploitation of unpatched vulnerabilities. Cybercriminals also leverage malicious advertisements, compromised websites, peer-to-peer networks, third-party downloaders, and even infected USB drives to propagate this threat.

Defense and Prevention Measures

Preventing an infection requires a combination of vigilance and strong security practices:

• Never open unsolicited attachments or click on suspicious links in emails or messages from unknown senders.
• Only download software and files from official websites or trusted app stores.
• Keep operating systems, browsers, and all applications regularly updated to close known security gaps.
• Avoid interacting with ads, pop-ups, or elements on questionable websites, and deny notification requests from untrusted pages.
• Deploy reliable security software to detect and block threats before they can take hold.

Final Thoughts

SoupDealer is a highly adaptable malware strain that uses advanced evasion techniques, encrypted multi-stage loading, and hidden communication channels to gain persistent control over compromised systems. Its ability to spread, disable security tools, and execute a wide range of commands makes it a severe cybersecurity risk that users and organizations must proactively defend against.