Summary
On the opening day of a NATO summit, an employee at one of our SOC customers received a harmless-looking "price quote." There was no attachment; the email body carried a Google Drive download link. The .jar at the end of that link turned out to be a full-featured remote access trojan (RAT) that, after three layers of decryption, connects to live command-and-control (C2) infrastructure.
As the Netlore Security Threat Research team, we cracked the sample end-to-end without ever executing it, in a fully isolated lab with all network access severed, and extracted the live C2 configuration of this variant ourselves. The resulting chain was the SoupDealer loader — known to target Turkey and notorious for slipping past most public sandbox/antivirus solutions — and the Adwind RAT it carries. More importantly, this sample represents a variant of the campaign not yet documented in public sources: it uses direct clearnet C2 instead of Tor, and carries a destructive module capable of rendering a machine unbootable on command.
| Field | Value |
|---|---|
| Date | July 6, 2026 |
| Family | SoupDealer → Adwind (jRAT / AlienSpy) |
| Version | 7.4.2.0.F.6 |
| Platform | Java / JAR |
| Target | Turkey |
| Vector | Phishing email → Google Drive download link (.jar) |
| Severity | Critical — C2 active |
| TLP | CLEAR |
Why is there an image at the top of this article?
The cover image of this article is not a design choice; it came straight out of the malware. This 1 MB picture, named lady_in_red-wallpaper-2560x1440.jpg, ships embedded inside the Adwind payload and serves two purposes at once.
The first is technical and mundane: padding that inflates the file size to slip past certain sandbox size limits and heuristic scans. The second is far more critical. Adwind's wallpaper-changing module sets this image as the victim's desktop wallpaper after a successful infection — a kind of signature, much like ransomware painting its ransom note on screen.
If you see this image on a device's desktop, that machine has most likely already been compromised. So this picture is not ordinary padding; it is the visible sign of infection. Finding a file matching SHA256
54a795ea…on a corporate device is, on its own, sufficient reason to launch an incident response.
Context: a low-profile lure on a busy day
Attackers love noise. The odds of a malicious message slipping through unnoticed rise on the busy days when organizations are distracted and email traffic surges. This sample landed on exactly such a day: as a NATO summit began — with geopolitical headlines and corporate communication traffic peaking — a procurement-themed phishing email dropped into an employee's inbox at our customer.
There was no classic ".jar in the attachment" here — because corporate email gateways already block such attachments. Instead the malicious file had been moved to Google Drive, leaving only a download link in the mail. The name of the file at the end of that link was a classic social-engineering trap: "06.07.2026 PRICE QUOTE — EXPECTED PRODUCTS" — the kind of subject that purchasing and accounting teams open by reflex.
The tone of the email completed the picture. Sent under a Turkish business persona ("Doğan AKTAŞ"), the subject line was crafted to look like a natural reply within an ongoing procurement thread: "Hello, good work — could you share the discount rates for the parts in the file along with the delivery time." This request — no urgency, naturally grafted onto an existing order conversation — is the signature of thread-hijacking attacks.
The attachment was analyzed without ever being genuinely executed, in a fully isolated, network-severed lab.
| Metric | Value |
|---|---|
| Nested decryption layers | 3 |
| Embedded payload entropy | 7.99 / 8.0 (fully encrypted) |
| Commercial obfuscator | Stringer + Allatori |
| Stage-3 RAT class / command modules | 65+ |
| VirusTotal first-day detection | only 1 of 64 engines flagged it |
Delivery chain: from phishing email to Google Drive
The sample reached the inbox not as a direct attachment but via a download link on Google Drive. In environments where corporate email gateways block .jar attachments, this is a deliberate choice: the malicious file is never carried inside the mail — the mail only carries a link pointing to a trusted cloud.
By examining the original phishing email (.msg), we reconstructed the entire delivery chain:
| Field | Value |
|---|---|
| Sender | [email protected] — display name "Doğan AKTAŞ" |
| Subject | "…could you share the discount rates along with the delivery time." |
| Download link | drive.google.com/uc?export=download&id=1rZCHjstkxPxJ7RZRPmdf13aJ10Cc14lr |
| Sending infrastructure | Yandex Mail (178.154.239.95 — AS200350 Yandex.Cloud, RU) |
| Authentication | SPF: none · DKIM: none · DMARC: none · compauth=fail |
| Microsoft filter verdict | SCL:1 · SFV:NSPM (Not Spam) — delivered |
| Targeting signal | LANG:tr (Turkish) · CTRY:RU (connecting IP country) |
An ironic detail: the organization's own security banner sat at the very top of the mail — "This email was sent from outside the organization. Please only open links and files from sources you trust." — and right below that line, the Google Drive link. The attacker exploits the "trusted source" perception by using Google's own domain.
Authentication failed completely — yet it was still delivered. For
8zonetime.com, SPF, DKIM and DMARC are all absent (compauth=fail). Despite this, the mail landed in the recipient's inbox without being marked as spam (SFV:NSPM), thanks to Yandex's sending reputation. This is a textbook example of how mail filters that trust IP reputation alone let through a sender with no authentication at all. Recommendation: enforce DMARC alignment (p=quarantine/reject); quarantineFromfields that fail authentication.
Why these domains? A camouflage analysis
The campaign uses three different domains, each chosen to exploit a different layer of trust:
drive.google.com— payload hosting. The malicious JAR is served over TLS from Google's CDN. It appears on no URL reputation/blocklist and is blocked by no category filter. On VirusTotal, this specific download URL is a fresh and unknown link.gocebekuslar.store— C2. A Turkish phrase meaning "nomadic birds." Unlike a random-character C2 domain, it looks organic and harmless in Turkish victims' network traffic and raises no alarm to an analyst's eye. The.storeTLD is cheap and lightly policed; moreover, some reputation services classify this domain as "shopping" — meaning many corporate web proxies allow it under category-based filtering. Registered via Namecheap on March 26, 2026, roughly 3.5 months before the campaign: aged just enough to escape the "newly registered domain" penalty, yet still fresh.8zonetime.com— sender. A domain whose registration history goes back to 2019, expired/abandoned and now re-taken; currently forwarded to Yandex Mail (RU infrastructure) with no valid SPF/DKIM record. The profile of a domain re-acquired to borrow its old reputation and dodge alignment checks.
Attack chain: JAR inside JAR inside RAT
The sample is designed as a loader that does one thing: each layer decrypts the next in memory and runs it without ever touching disk. This is a deliberate design to defeat signature-based detection and automated sandboxes.
Stage 01 — Loader Stage 02 — Dropper Stage 03 — Payload
┌─────────────────────┐ ┌─────────────────────┐ ┌─────────────────────┐
│ Stringer Loader │ │ Start + stub │ │ Adwind RAT │
│ main-class: a │─AES─▶│ main-class: Start │─RC4─▶│ main-class:Principal│
│ decrypts 962 → JAR │ │ stub → Adwind JAR │ │ connects to live C2 │
│ (custom ClassLoader)│ │ + decoy image │ │ (Allatori-protected)│
└─────────────────────┘ └─────────────────────┘ └─────────────────────┘
Stage 1: Stringer-protected loader
The JAR's manifest gives away its intent at first glance. A legitimate "price quote" attachment does not ship with an aggressive code-protection layer like Stringer:
# META-INF/MANIFEST.MF
# Commercial obfuscator fingerprint (Licel — licelus.com)
Protected-By: 9.0.9 Stringer (20180205)
Protected-Notice: AV contact email - [email protected]
Main-Class: a
Classes are reduced to single-letter names (a, n, u, o), all method calls go through an integer-hash reflection proxy, and every string is encrypted with an AES-based scheme locked to the calling method's stack trace. This is a strong anti-analysis mechanism built to break static analysis. The main class a extends Java's ClassLoader and decrypts the embedded 962 resource with javax.crypto.Cipher.
Signal of a second stage. The
962file is a fully random block of 1,102,656 bytes with entropy 7.9998/8.0. That value is a sure sign the data is either strongly encrypted or compressed — the last thing you'd expect from a "product list."
To break the string encryption, we ran Stringer v9's decryptor routine on an emulator and revealed 2,460 encrypted strings. After that, the loader's real job became visible: 962 → AES → a JAR archive.
Stage 2: dropper, decoy image and RC4
The decrypted 962 archive reveals a classic dropper architecture. One of its four components is the wallpaper image we described at the top of the article:
# 962 (AES-decrypted) → JAR contents
198 META-INF/MANIFEST.MF # Main-Class: Start
134901 stub # RC4-encrypted Adwind (stage-3)
40519 Start.class # stage-2 loader
946248 lady_in_red-wallpaper-2560x1440.jpg # size padding + infection wallpaper
The stage-2 class Start is itself a custom ClassLoader. It RC4-decrypts the stub resource to reveal the actual payload — an Adwind JAR — and again loads it into memory. The image, meanwhile, is the only tangible file that hits disk, and it will appear on the desktop once infection completes.
Stage 3: Adwind RAT v7.4.2.0.F.6
The JAR that emerges after RC4 decryption does not hide its identity. Spanish package and class names (opciones = options, Archivo = file, Borrar = delete, Instalador = installer), security-software killers like extra/secure/AntiKill, and a Tor/ package — all the undisputed signature of the Adwind / jRAT / AlienSpy family. The manifest says Main-Class: Principal; the configuration was waiting behind Allatori string encryption.
After peeling the Allatori layer, the RAT's operator-compiled configuration appeared in full in the config/ConfigSet class — the most valuable output of this analysis:
// config/ConfigSet.class — deobfuscated
static {
SOURCE_VERSION = "7.4.2.0.F.6";
ENCVERUPGKEYGEN = "GEN.2.1.3";
CONNECT_DNS = "gocebekuslar.store"; // C2 — control
TOR_UPLOAD_DNS = "gocebekuslar.store"; // C2 — upload
PASSWORD = "04d3978c339e5601d4eb7411946b691c746a6438";
PREFIX = "SPAM";
STARTUP_TYPE = "REGEDIT"; // registry persistence
STARTUP_DELAY = 60L;
}
// PORT_1 = 10820 (DNS/control) PORT_2 = 35744 (upload)
Live C2 configuration
| Key | Value |
|---|---|
| CONNECT_DNS | gocebekuslar.store → 93.185.166.150 |
| Control port | 10820 / TCP |
| Upload port | 35744 / TCP |
| Password | 04d3978c339e5601d4eb7411946b691c746a6438 |
| Prefix | SPAM |
| Persistence | REGEDIT (Run key) + 60 s delay |
| Geo-filter | freeipapi.com · ipinfo.io |
This variant does not use Tor: direct clearnet C2
Every public SoupDealer report (August 2025) describes Tor-routed C2 over .onion and ports 49152/49153. This sample is different. In config/ConfigSet, TOR = false; the Tor/TorDinamicLink class is merely a helper that downloads Tor Browser via dist.torproject.org. The actual connection is made directly over clearnet to the gocebekuslar.store domain on ports 10820 and 35744; the .onion field is never populated in this build (ONION NOT FOUND).
This is exactly where cracking our own sample was decisive. This variant's ports and clearnet C2 domain differ from the campaign's public reference samples; copying IOCs from other reports would have been misleading. We could obtain the live C2 only by cracking this sample ourselves. The shared password hash and the SPAM prefix, meanwhile, point to the same actor — making this a fresh indicator not yet documented in public sources.
Capabilities
Adwind is a cross-platform RAT with a modular command architecture. The class inventory in this sample reveals the following capabilities:
- Surveillance:
OrdenCaptura(screenshot),SendTumbnail,WebBot/Informacion(system recon) - File operations:
LocalFileUpload/Download,Archivo · Copiar · Borrar,BuscarArchivos(file search) - Command & control:
Signal · Opcion1–9,WinRegistry · Update,Downloader · Instalador - Evasion / defense destruction:
AntiKill(44 KB) ·WinKill,SecTools(security-tool termination), hiddenPowerShell -EncodedCommand - Persistence:
StartUp— Registry Run (REGEDIT),schtasksscheduled task, 60 s delayed trigger - Anti-analysis / geo:
GetIP(geo-filter, TR only),ping localhost -n 7(delay), TOR download and wallpaper change
Destructive and self-protecting modules
Adwind is most often described as an infostealer / remote access tool. But two modules in this sample show impact and resilience capacity beyond what is expected of it.
WinKill — destructive module
The RAT can render a machine unusable on command. extra/secure/WinKill targets and deletes or corrupts critical boot files:
\bootmgr
\System32\winload.exe
\System32\Drivers\pci.sys
Corrupting these files prevents the system from booting. The module can be used as a destruction/sabotage command or an anti-forensic "clean up after yourself" step — a serious destructive (impact) capability well beyond what an infostealer implies.
AntiKill — self-protection and UAC escalation
extra/secure/AntiKill works like a watchdog: it continuously compares the running JAR against the installed JAR and restarts itself when needed. It does so using a UTF-16LE Base64-encoded, hidden-window PowerShell call, and requests UAC elevation:
powershell.exe -nop -noni -win h -enc <base64>
└─ Start-Process -FilePath "<javaw>" -ArgumentList '-jar','"<jar>"' -win h -Verb RunAs
The -Verb RunAs flag requests a restart with administrator rights; when the user approves the UAC prompt, the RAT continues running with elevated privileges.
Persistence, geo-fencing and the dropped-file pattern
Persistence is achieved two ways:
- Registry Run: a randomly named value is written under
Software\Microsoft\Windows\CurrentVersion\Run. - Scheduled task:
schtasks /Create /TR "<javaw -jar ...>" /SC ONLOGON /TN <random>— triggered at logon. TheSTARTUP_TYPE=REGEDITconfig value determines which method is chosen.
Geo-fencing and delay: extra/GetIP resolves the victim's IP via freeipapi.com and ipinfo.io, filtering the malware to run only in the target geography (Turkey); it excludes private and loopback addresses. It also applies an artificial ~7-second delay via cmd.exe /c ping localhost -n 7 to slip past automated sandboxes.
Dropped-file pattern: all file, folder and key names are generated randomly per infection (Utils.RANDOM, 6–32 characters). There is therefore no fixed-filename IOC; but the pattern is a strong threat-hunting signal:
| Artifact | Pattern |
|---|---|
| Main JAR / loader | %APPDATA%\<random 6–32> (jar + lock file) |
| Tor download | <random 8–32>.exe |
| Wallpaper | <random 8–32>.bmp |
| Note / marker files | <random 6–32>.txt |
| Persistence | Run key or ONLOGON task, randomly named |
Hunting summary.
javaw.exerunning from%APPDATA%, dropping randomly named.exe/.bmp/.txtfiles, writing a Run key or ONLOGON task, and spawning hidden-encPowerShell — seen together, this chain is a high-confidence detection signal.
MITRE ATT&CK mapping
| Tactic | Technique | Observation |
|---|---|---|
| Initial Access | T1566.002 Spearphishing Link | Google Drive download link in a "price quote" mail |
| Resource Development | T1608.001 Stage Capabilities: Upload Malware | Payload uploaded to Google Drive |
| Command & Control | T1102 Web Service | Trusted cloud (Google Drive) abused for distribution |
| Execution | T1059.001 PowerShell | Hidden -enc PowerShell |
| Execution | T1204.002 Malicious File | User opening the JAR |
| Defense Evasion | T1027 Obfuscated/Encrypted | Stringer v9 + Allatori + AES/RC4 layers |
| Defense Evasion | T1140 Deobfuscate/Decode | 3-stage in-memory decryption |
| Defense Evasion | T1497 Virtualization/Sandbox Evasion | Geo-fence + ping delay |
| Defense Evasion | T1562.001 Impair Defenses | AntiKill / SecTools / WinKill |
| Persistence | T1547.001 Registry Run Key | CurrentVersion\Run |
| Persistence | T1053.005 Scheduled Task | schtasks /SC ONLOGON |
| Privilege Escalation | T1548.002 Bypass UAC | PowerShell -Verb RunAs |
| Discovery | T1614.001 System Location Discovery | freeipapi.com / ipinfo.io |
| Collection | T1113 Screen Capture | OrdenCaptura / SendTumbnail |
| Command & Control | T1219 Remote Access Software | Adwind RAT |
| Command & Control | T1571 Non-Standard Port | TCP 10820 / 35744 |
| Impact | T1485 / T1561 Data/Disk Destruction | WinKill boot-file destruction |
Infrastructure: OSINT pivot
Starting from the C2 domain, we mapped out the hosting infrastructure:
| Indicator | Finding |
|---|---|
| C2 IP | 93.185.166.150 (93.185.166.0/23) |
| Hosting / ASN | AlexHost Srl · AS200019 — Moldova-based, abuse-tolerant offshore hosting |
| C2 domain registration | Namecheap, registered March 26, 2026 (~3.5 months before the campaign); NS/MX: *.registrar-servers.com |
| C2 domain category | "shopping" in some reputation services, "Suspicious" in others — camouflage that bypasses category filtering |
| Sender domain | 8zonetime.com — registered 2019, re-taken; now Yandex Mail (RU), no valid SPF/DKIM |
| Payload hosting | drive.google.com (Google Drive direct-download) — trusted-cloud abuse |
| Co-hosted on same IP (pivot) | labuba2.farted.net (dynamic DNS — likely actor infrastructure) |
| Campaign context | SoupDealer — Turkey-focused, active since August 2025; this variant is new with clearnet C2 |
All the C2 domain's NS/MX records point to Namecheap's default forwarding infrastructure — the profile of a cheap, disposable phishing domain. The absence of a TLS certificate (crt.sh empty) is consistent with the C2 using a raw TCP socket protocol rather than HTTPS. Hosting the C2 IP at an abuse-tolerant, offshore provider like AlexHost (AS200019) is a deliberate choice that prioritizes takedown resistance.
An almost-invisible variant: VirusTotal telemetry
The most concrete evidence of how fresh this variant is comes from public multi-engine scanning. The main JAR (SHA256 e4d40008…) was first submitted to VirusTotal on July 6, 2026, 11:45 UTC — the day the mail arrived.
| VT metric | Value |
|---|---|
| First seen | July 6, 2026, 11:45 UTC |
| Engines flagging malicious | 1 / 64 — only NANO-Antivirus (Exploit.Zip.Heuristic-java.csrvpr, static ZIP heuristic) |
| Dynamic sandbox | Zenbox + Zenbox Linux → "CLEAN" (97–98% confidence) |
| VT behavioral network IOC | None — the sandbox never triggered the C2 (evasion) |
| Notable behavior tags | sets-process-name, detect-debug-environment, long-sleeps |
Two findings are especially striking. On the static side, only one of 64 engines caught it, and only via a heuristic ZIP rule; no engine named the sample "Adwind" or "SoupDealer" — meaning signature-based detection is effectively zero. On the dynamic side, VT's sandboxes declared the sample clean, because the geo-fence and long-sleeps delays ended the analysis before triggering real behavior. That is why VT holds no "contacted domain/IP" relationship for the sample — we could surface the live C2 only through our own controlled extraction.
Detection rates change over time; this number will rise as engines add signatures. The real indicator here is less the instantaneous ratio than the fact that, on the day it was first seen, it circulated with near-zero detection and a generic label — a short but real zero-day-like window. Do not rely on signatures/AV; behavioral EDR and network detection take priority.
Methodology: extracting the live config without ever running the payload
The key to defeating this kind of multi-layered, stack-trace-locked obfuscation is not to detonate the sample, but to run its decryptor routines in a controlled way and catch the payload at the exact moment it is born. The safe extraction method the Netlore Threat Research team followed was:
- String decryption in an emulator. Without ever touching a real OS, the Stringer v9 (2,460 strings) and Allatori (1,095 strings) layers were decrypted inside an emulator.
- In-memory capture instrumentation. A custom Java agent hooked
ClassLoader.defineClass,ByteArrayInputStreamand configuration-map calls; each stage's decrypted bytes were taken to disk at exactly that point. - A physically network-severed sandbox. The entire chain ran inside an isolated namespace with no network access — not a single packet could leave.
- Halting before payload init. The static initializer (
<clinit>) of the real malicious classes never ran; the process was terminated the instant the decrypted bytes were captured.
The result: without any execution risk, the live and verified command-and-control infrastructure of this specific variant of the campaign.
Detection and response recommendations
- Block: block
gocebekuslar.storeand93.185.166.150at the DNS and firewall layers; monitor and stop outbound TCP 10820 and 35744 traffic. - Mail layer: block the sender domain
8zonetime.comand[email protected]; enforce DMARC alignment (p=quarantine/reject) and flag senders with missing SPF/DKIM (compauth=fail). Trusted cloud domains like Google Drive must not be treated as a "whitelist"; apply CDR/sandbox based on the downloaded file type. - Quarantine: block the sample SHA256 in EDR/AV; quarantine
.jarattachments at the mail gateway by default and.jar/.jnlp/.jsfiles pulled from cloud-sharing links. - Threat hunting:
javaw.exeoutbound connections,freeipapi.com/ipinfo.iolookups, hidden PowerShell-EncodedCommandcalls, new Registry Run keys andschtaskstasks, destructiveWinKillboot-file access; executables pulled by browser/downloader processes viadrive.google.com/uc?export=download. - Wallpaper audit: search all devices for
lady_in_red-wallpaper-2560x1440.jpg(SHA25654a795ea…); the presence of this image on a device is a direct sign of infection. - Awareness: give purchasing and accounting teams targeted warnings about "price quote / order / discount"-themed emails containing cloud links and about
.jar,.jnlp,.jsfiles.
Detection rules
We developed detection rules across three layers for this variant and share them as ready-to-deploy files:
- YARA (
soupdealer.yar): the stage-1 loader's Stringer fingerprint, stage-3 Adwind and this variant's C2 configuration, plus a behavioral rule that works independently of the configuration. - Suricata / Snort (
soupdealer.rules): thegocebekuslar.storeDNS query,10820/35744C2 traffic to93.185.166.150, and the geo-check viafreeipapi.com. - Sigma (
soupdealer-sigma.yml): hidden-encPowerShell spawned byjavaw, Run / ONLOGON persistence, destructiveWinKillboot-file deletion, and javaw → high-port C2 connections.
Because dropped file names are generated randomly per infection, the host-side rules rely on behavior (process ancestry, command line, target path and port) rather than fixed file names. SOC and blue teams who need these rule sets can get in touch with us.
Appendix: Indicators of Compromise (IOC)
The following indicators are extracted directly from this sample. The network indicators are high-confidence and durable; feed those to your defense tooling first.
Delivery / phishing indicators
| Type | Value | Note |
|---|---|---|
| Sender | [email protected] (display name "Doğan AKTAŞ") | Phishing sender — re-taken domain |
| Sender domain | 8zonetime.com | Registered 2019; now Yandex/RU mail, no SPF/DKIM |
| Sending IP | 178.154.239.95 (AS200350 Yandex.Cloud, RU) | Mail sending infrastructure |
| Payload URL | drive.google.com/uc?export=download&id=1rZCHjstkxPxJ7RZRPmdf13aJ10Cc14lr | JAR download link |
| Drive file ID | 1rZCHjstkxPxJ7RZRPmdf13aJ10Cc14lr | Google Drive hosting |
| Subject | …the discount rates along with the delivery time | Procurement-themed lure |
File indicators
| Type | Value | Note |
|---|---|---|
| SHA256 | e4d40008b10183524514b7517d7d236d6d99e9b4d4f89292e9ed0983aff619bb | Main JAR (stage 1) |
| MD5 | 40e2095555d022e6f4a3a9d12eb164af | Main JAR |
| SHA256 | 2412a1dfd64d0a5335f14fe48f920bc248b6c903126c8b6b89b02e4feaea72bd | Start.class (stage 2) |
| SHA256 | 54a795eab5bf70900545596dd7e6da823963d12acc967e4166087f1b5c6b794c | decoy image (lady_in_red…jpg) |
| Filename | 06.07.2026 FİYAT TEKLİFİ BEKLENEN ÜRÜNLER1.jar | Email attachment / lure |
| Resource | 962 | Embedded AES payload (1.05 MB) |
| Decoy | lady_in_red-wallpaper-2560x1440.jpg | Size padding + post-infection desktop wallpaper |
Network indicators — high priority
| Type | Value | Role |
|---|---|---|
| Domain | gocebekuslar.store | C2 (control + upload) |
| IPv4 | 93.185.166.150 | C2 resolution |
| Port | 10820/tcp | Control channel (DNS) |
| Port | 35744/tcp | Upload channel |
| Geo-check | freeipapi.com · ipinfo.io | Geo-targeting (TR only) |
| Download | dist.torproject.org/torbrowser/ | TOR component download |
| ASN / Hosting | AlexHost Srl · AS200019 (Moldova, offshore) | C2 hosting |
| Registrar | Namecheap (*.registrar-servers.com) | Domain registration |
| Co-host (pivot) | labuba2.farted.net | Dynamic DNS on the same IP |
Host and configuration indicators
| Key | Value |
|---|---|
| RAT family / version | Adwind (jRAT/AlienSpy) 7.4.2.0.F.6 · ENCVER GEN.2.1.3 |
| Loader | SoupDealer (Stringer v9 + Allatori) |
| Config password | 04d3978c339e5601d4eb7411946b691c746a6438 |
| Campaign prefix | SPAM |
| Persistence | Registry Run (STARTUP_TYPE=REGEDIT) · schtasks ONLOGON |
| Manifest signature | Protected-By: 9.0.9 Stringer |
Quick block list
gocebekuslar.store
93.185.166.150
8zonetime.com
[email protected]
178.154.239.95
drive.google.com/uc?export=download&id=1rZCHjstkxPxJ7RZRPmdf13aJ10Cc14lr
e4d40008b10183524514b7517d7d236d6d99e9b4d4f89292e9ed0983aff619bb
40e2095555d022e6f4a3a9d12eb164af
2412a1dfd64d0a5335f14fe48f920bc248b6c903126c8b6b89b02e4feaea72bd
This analysis was performed by the Netlore Security Threat Research team on a real sample that reached a SOC customer, on July 6, 2026. All sample handling took place in a network-isolated, controlled lab environment. TLP:CLEAR — indicators may be shared freely. This content is for defensive and informational purposes only.
Need Cybersecurity Consulting?
Our expert team provides comprehensive cybersecurity services to secure your corporate infrastructure. Contact us for detailed information about penetration testing, security audits, and consulting services.
Contact Us