SoupDealer Malware Evades Sandboxes, AVs, and EDR/XDR in Real-World Attacks

The SoupDealer malware has successfully bypassed nearly all public sandboxes and antivirus solutions, with the exception of Threat.Zone, while also evading endpoint detection and response (EDR) and extended detection and response (XDR) systems in documented real-world incidents.

This advanced threat has inflicted significant damage across various sectors, including banks, internet service providers (ISPs), and mid-level organizations, underscoring the critical need for on-premises sandboxes in protecting essential infrastructure and the importance of genuine dynamic analysis for security operations center (SOC) teams.

Sophisticated Phishing Campaign

Recent investigations by cybersecurity researchers have uncovered a targeted phishing campaign aimed at Windows systems in Türkiye, specifically those configured with the Turkish language, highlighting the malware’s geo-specific focus and its ability to blend into localized environments.

The campaign distributes SoupDealer via deceptive emails containing a three-stage loader disguised as files like “TEKLIFALINACAKURUNLER.jar” or “FIYATTEKLIFI.JAR”.

Upon execution, the malware employs sophisticated ...