ISTANBUL, TURKIYE– Cybersecurity experts have uncovered a new and highly sophisticated Java-based malware, dubbed “SoupDealer,” that is capable of bypassing standard security measures with alarming ease. The threat, which surfaces through targeted phishing campaigns, employs a series of cunning tricks to hide its true purpose, making it a formidable challenge for even the most advanced security platforms.
A Deceptive Phishing Campaign
In early August 2025, cybersecurity teams in Türkiye began to notice a new threat. This malware, codenamed SoupDealer, was being spread through a phishing campaign. The initial attack uses a deceptive .jar file that looks harmless. The program, however, is a clever loader that doesn’t reveal its true nature right away. Instead, it first checks if the victim’s computer is running Windows in the Turkish language and is located within Türkiye. This specific targeting allows it to avoid detection by most security sandboxes and analysts, who often operate in different environments.
The Multi-Stage Stealth Operation
SoupDealer is not a simple virus it’s a multi-layered attack. Once the initial check is complete, the program begins a three-stage loading process. It uses special, custom-built code to decrypt and load its payloads directly into the computer’s memory. This is a crucial step that helps it avoid being seen by traditional antivirus software, which typically scans for files on the hard drive. Researchers found that each stage of the malware adds a new layer of complexity, making it extremely difficult to track and analyze.
Data Protection and DPDP Act Readiness: Hundreds of Senior Leaders Sign Up for CDPO Program
Bypassing Security and Gaining Persistence
One of the most concerning aspects of SoupDealer is its ability to actively bypass security products. The malware is designed to check for and evade host-based antivirus solutions before it fully executes. It also takes steps to ensure it remains on the infected computer. The program creates a scheduled task with a random name, so it can run every day with a small delay. It also makes changes to the Windows registry, using common-looking names to hide its presence. This persistence mechanism ensures that even if the computer is restarted, the malware will continue to operate.
The Covert Network and Final Payload
After successfully establishing a foothold on the system, SoupDealer takes another step to stay hidden. It downloads and uses the Tor network to create a covert command-and-control (C2) channel. This “onion-routed” connection encrypts its communications, making it nearly impossible for security teams to monitor its activities or trace its origin. The final stage of the attack is the launch of the ‘Adwind backdoor module’ a well-known tool that gives attackers full control over the infected machine. This allows the cybercriminals to spy on the victim, steal information, or use the computer for other malicious activities.
