Home
BlogContact Us
Back to Blog
Threat Intelligence

Summit-Day Delivery: The SoupDealer Loader and Adwind RAT Targeting Turkey

Netlore CyberOps
20 min read

Summary

On the opening day of a NATO summit, an employee at one of our SOC customers received a harmless-looking "price quote." There was no attachment; the email body carried a Google Drive download link. The .jar at the end of that link turned out to be a full-featured remote access trojan (RAT) that, after three layers of decryption, connects to live command-and-control (C2) infrastructure.

As the Netlore Security Threat Research team, we cracked the sample end-to-end without ever executing it, in a fully isolated lab with all network access severed, and extracted the live C2 configuration of this variant ourselves. The resulting chain was the SoupDealer loader — known to target Turkey and notorious for slipping past most public sandbox/antivirus solutions — and the Adwind RAT it carries. More importantly, this sample represents a variant of the campaign not yet documented in public sources: it uses direct clearnet C2 instead of Tor, and carries a destructive module capable of rendering a machine unbootable on command.

FieldValue
DateJuly 6, 2026
FamilySoupDealer → Adwind (jRAT / AlienSpy)
Version7.4.2.0.F.6
PlatformJava / JAR
TargetTurkey
VectorPhishing email → Google Drive download link (.jar)
SeverityCritical — C2 active
TLPCLEAR

Why is there an image at the top of this article?

The cover image of this article is not a design choice; it came straight out of the malware. This 1 MB picture, named lady_in_red-wallpaper-2560x1440.jpg, ships embedded inside the Adwind payload and serves two purposes at once.

The first is technical and mundane: padding that inflates the file size to slip past certain sandbox size limits and heuristic scans. The second is far more critical. Adwind's wallpaper-changing module sets this image as the victim's desktop wallpaper after a successful infection — a kind of signature, much like ransomware painting its ransom note on screen.

If you see this image on a device's desktop, that machine has most likely already been compromised. So this picture is not ordinary padding; it is the visible sign of infection. Finding a file matching SHA256 54a795ea… on a corporate device is, on its own, sufficient reason to launch an incident response.

Context: a low-profile lure on a busy day

Attackers love noise. The odds of a malicious message slipping through unnoticed rise on the busy days when organizations are distracted and email traffic surges. This sample landed on exactly such a day: as a NATO summit began — with geopolitical headlines and corporate communication traffic peaking — a procurement-themed phishing email dropped into an employee's inbox at our customer.

There was no classic ".jar in the attachment" here — because corporate email gateways already block such attachments. Instead the malicious file had been moved to Google Drive, leaving only a download link in the mail. The name of the file at the end of that link was a classic social-engineering trap: "06.07.2026 PRICE QUOTE — EXPECTED PRODUCTS" — the kind of subject that purchasing and accounting teams open by reflex.

The tone of the email completed the picture. Sent under a Turkish business persona ("Doğan AKTAŞ"), the subject line was crafted to look like a natural reply within an ongoing procurement thread: "Hello, good work — could you share the discount rates for the parts in the file along with the delivery time." This request — no urgency, naturally grafted onto an existing order conversation — is the signature of thread-hijacking attacks.

The attachment was analyzed without ever being genuinely executed, in a fully isolated, network-severed lab.

MetricValue
Nested decryption layers3
Embedded payload entropy7.99 / 8.0 (fully encrypted)
Commercial obfuscatorStringer + Allatori
Stage-3 RAT class / command modules65+
VirusTotal first-day detectiononly 1 of 64 engines flagged it

Delivery chain: from phishing email to Google Drive

The sample reached the inbox not as a direct attachment but via a download link on Google Drive. In environments where corporate email gateways block .jar attachments, this is a deliberate choice: the malicious file is never carried inside the mail — the mail only carries a link pointing to a trusted cloud.

By examining the original phishing email (.msg), we reconstructed the entire delivery chain:

FieldValue
Sender[email protected] — display name "Doğan AKTAŞ"
Subject"…could you share the discount rates along with the delivery time."
Download linkdrive.google.com/uc?export=download&id=1rZCHjstkxPxJ7RZRPmdf13aJ10Cc14lr
Sending infrastructureYandex Mail (178.154.239.95 — AS200350 Yandex.Cloud, RU)
AuthenticationSPF: none · DKIM: none · DMARC: none · compauth=fail
Microsoft filter verdictSCL:1 · SFV:NSPM (Not Spam) — delivered
Targeting signalLANG:tr (Turkish) · CTRY:RU (connecting IP country)

An ironic detail: the organization's own security banner sat at the very top of the mail — "This email was sent from outside the organization. Please only open links and files from sources you trust." — and right below that line, the Google Drive link. The attacker exploits the "trusted source" perception by using Google's own domain.

Authentication failed completely — yet it was still delivered. For 8zonetime.com, SPF, DKIM and DMARC are all absent (compauth=fail). Despite this, the mail landed in the recipient's inbox without being marked as spam (SFV:NSPM), thanks to Yandex's sending reputation. This is a textbook example of how mail filters that trust IP reputation alone let through a sender with no authentication at all. Recommendation: enforce DMARC alignment (p=quarantine/reject); quarantine From fields that fail authentication.

Why these domains? A camouflage analysis

The campaign uses three different domains, each chosen to exploit a different layer of trust:

  • drive.google.com — payload hosting. The malicious JAR is served over TLS from Google's CDN. It appears on no URL reputation/blocklist and is blocked by no category filter. On VirusTotal, this specific download URL is a fresh and unknown link.
  • gocebekuslar.store — C2. A Turkish phrase meaning "nomadic birds." Unlike a random-character C2 domain, it looks organic and harmless in Turkish victims' network traffic and raises no alarm to an analyst's eye. The .store TLD is cheap and lightly policed; moreover, some reputation services classify this domain as "shopping" — meaning many corporate web proxies allow it under category-based filtering. Registered via Namecheap on March 26, 2026, roughly 3.5 months before the campaign: aged just enough to escape the "newly registered domain" penalty, yet still fresh.
  • 8zonetime.com — sender. A domain whose registration history goes back to 2019, expired/abandoned and now re-taken; currently forwarded to Yandex Mail (RU infrastructure) with no valid SPF/DKIM record. The profile of a domain re-acquired to borrow its old reputation and dodge alignment checks.

Attack chain: JAR inside JAR inside RAT

The sample is designed as a loader that does one thing: each layer decrypts the next in memory and runs it without ever touching disk. This is a deliberate design to defeat signature-based detection and automated sandboxes.

Stage 01 — Loader             Stage 02 — Dropper           Stage 03 — Payload
┌─────────────────────┐      ┌─────────────────────┐      ┌─────────────────────┐
│  Stringer Loader    │      │   Start + stub      │      │    Adwind RAT       │
│  main-class: a      │─AES─▶│   main-class: Start │─RC4─▶│  main-class:Principal│
│  decrypts 962 → JAR │      │   stub → Adwind JAR │      │  connects to live C2 │
│  (custom ClassLoader)│      │   + decoy image     │      │  (Allatori-protected)│
└─────────────────────┘      └─────────────────────┘      └─────────────────────┘

Stage 1: Stringer-protected loader

The JAR's manifest gives away its intent at first glance. A legitimate "price quote" attachment does not ship with an aggressive code-protection layer like Stringer:

# META-INF/MANIFEST.MF
# Commercial obfuscator fingerprint (Licel — licelus.com)
Protected-By: 9.0.9 Stringer (20180205)
Protected-Notice: AV contact email - [email protected]
Main-Class: a

Classes are reduced to single-letter names (a, n, u, o), all method calls go through an integer-hash reflection proxy, and every string is encrypted with an AES-based scheme locked to the calling method's stack trace. This is a strong anti-analysis mechanism built to break static analysis. The main class a extends Java's ClassLoader and decrypts the embedded 962 resource with javax.crypto.Cipher.

Signal of a second stage. The 962 file is a fully random block of 1,102,656 bytes with entropy 7.9998/8.0. That value is a sure sign the data is either strongly encrypted or compressed — the last thing you'd expect from a "product list."

To break the string encryption, we ran Stringer v9's decryptor routine on an emulator and revealed 2,460 encrypted strings. After that, the loader's real job became visible: 962 → AES → a JAR archive.

Stage 2: dropper, decoy image and RC4

The decrypted 962 archive reveals a classic dropper architecture. One of its four components is the wallpaper image we described at the top of the article:

# 962 (AES-decrypted) → JAR contents
   198  META-INF/MANIFEST.MF                    # Main-Class: Start
134901  stub                                    # RC4-encrypted Adwind (stage-3)
 40519  Start.class                             # stage-2 loader
946248  lady_in_red-wallpaper-2560x1440.jpg     # size padding + infection wallpaper

The stage-2 class Start is itself a custom ClassLoader. It RC4-decrypts the stub resource to reveal the actual payload — an Adwind JAR — and again loads it into memory. The image, meanwhile, is the only tangible file that hits disk, and it will appear on the desktop once infection completes.

Stage 3: Adwind RAT v7.4.2.0.F.6

The JAR that emerges after RC4 decryption does not hide its identity. Spanish package and class names (opciones = options, Archivo = file, Borrar = delete, Instalador = installer), security-software killers like extra/secure/AntiKill, and a Tor/ package — all the undisputed signature of the Adwind / jRAT / AlienSpy family. The manifest says Main-Class: Principal; the configuration was waiting behind Allatori string encryption.

After peeling the Allatori layer, the RAT's operator-compiled configuration appeared in full in the config/ConfigSet class — the most valuable output of this analysis:

// config/ConfigSet.class — deobfuscated
static {
    SOURCE_VERSION  = "7.4.2.0.F.6";
    ENCVERUPGKEYGEN = "GEN.2.1.3";
    CONNECT_DNS     = "gocebekuslar.store";   // C2 — control
    TOR_UPLOAD_DNS  = "gocebekuslar.store";   // C2 — upload
    PASSWORD        = "04d3978c339e5601d4eb7411946b691c746a6438";
    PREFIX          = "SPAM";
    STARTUP_TYPE    = "REGEDIT";              // registry persistence
    STARTUP_DELAY   = 60L;
}
// PORT_1 = 10820 (DNS/control)   PORT_2 = 35744 (upload)

Live C2 configuration

KeyValue
CONNECT_DNSgocebekuslar.store93.185.166.150
Control port10820 / TCP
Upload port35744 / TCP
Password04d3978c339e5601d4eb7411946b691c746a6438
PrefixSPAM
PersistenceREGEDIT (Run key) + 60 s delay
Geo-filterfreeipapi.com · ipinfo.io

This variant does not use Tor: direct clearnet C2

Every public SoupDealer report (August 2025) describes Tor-routed C2 over .onion and ports 49152/49153. This sample is different. In config/ConfigSet, TOR = false; the Tor/TorDinamicLink class is merely a helper that downloads Tor Browser via dist.torproject.org. The actual connection is made directly over clearnet to the gocebekuslar.store domain on ports 10820 and 35744; the .onion field is never populated in this build (ONION NOT FOUND).

This is exactly where cracking our own sample was decisive. This variant's ports and clearnet C2 domain differ from the campaign's public reference samples; copying IOCs from other reports would have been misleading. We could obtain the live C2 only by cracking this sample ourselves. The shared password hash and the SPAM prefix, meanwhile, point to the same actor — making this a fresh indicator not yet documented in public sources.

Capabilities

Adwind is a cross-platform RAT with a modular command architecture. The class inventory in this sample reveals the following capabilities:

  • Surveillance: OrdenCaptura (screenshot), SendTumbnail, WebBot / Informacion (system recon)
  • File operations: LocalFileUpload/Download, Archivo · Copiar · Borrar, BuscarArchivos (file search)
  • Command & control: Signal · Opcion1–9, WinRegistry · Update, Downloader · Instalador
  • Evasion / defense destruction: AntiKill (44 KB) · WinKill, SecTools (security-tool termination), hidden PowerShell -EncodedCommand
  • Persistence: StartUp — Registry Run (REGEDIT), schtasks scheduled task, 60 s delayed trigger
  • Anti-analysis / geo: GetIP (geo-filter, TR only), ping localhost -n 7 (delay), TOR download and wallpaper change

Destructive and self-protecting modules

Adwind is most often described as an infostealer / remote access tool. But two modules in this sample show impact and resilience capacity beyond what is expected of it.

WinKill — destructive module

The RAT can render a machine unusable on command. extra/secure/WinKill targets and deletes or corrupts critical boot files:

\bootmgr
\System32\winload.exe
\System32\Drivers\pci.sys

Corrupting these files prevents the system from booting. The module can be used as a destruction/sabotage command or an anti-forensic "clean up after yourself" step — a serious destructive (impact) capability well beyond what an infostealer implies.

AntiKill — self-protection and UAC escalation

extra/secure/AntiKill works like a watchdog: it continuously compares the running JAR against the installed JAR and restarts itself when needed. It does so using a UTF-16LE Base64-encoded, hidden-window PowerShell call, and requests UAC elevation:

powershell.exe -nop -noni -win h -enc <base64>
  └─ Start-Process -FilePath "<javaw>" -ArgumentList '-jar','"<jar>"' -win h -Verb RunAs

The -Verb RunAs flag requests a restart with administrator rights; when the user approves the UAC prompt, the RAT continues running with elevated privileges.

Persistence, geo-fencing and the dropped-file pattern

Persistence is achieved two ways:

  • Registry Run: a randomly named value is written under Software\Microsoft\Windows\CurrentVersion\Run.
  • Scheduled task: schtasks /Create /TR "<javaw -jar ...>" /SC ONLOGON /TN <random> — triggered at logon. The STARTUP_TYPE=REGEDIT config value determines which method is chosen.

Geo-fencing and delay: extra/GetIP resolves the victim's IP via freeipapi.com and ipinfo.io, filtering the malware to run only in the target geography (Turkey); it excludes private and loopback addresses. It also applies an artificial ~7-second delay via cmd.exe /c ping localhost -n 7 to slip past automated sandboxes.

Dropped-file pattern: all file, folder and key names are generated randomly per infection (Utils.RANDOM, 6–32 characters). There is therefore no fixed-filename IOC; but the pattern is a strong threat-hunting signal:

ArtifactPattern
Main JAR / loader%APPDATA%\<random 6–32> (jar + lock file)
Tor download<random 8–32>.exe
Wallpaper<random 8–32>.bmp
Note / marker files<random 6–32>.txt
PersistenceRun key or ONLOGON task, randomly named

Hunting summary. javaw.exe running from %APPDATA%, dropping randomly named .exe / .bmp / .txt files, writing a Run key or ONLOGON task, and spawning hidden -enc PowerShell — seen together, this chain is a high-confidence detection signal.

MITRE ATT&CK mapping

TacticTechniqueObservation
Initial AccessT1566.002 Spearphishing LinkGoogle Drive download link in a "price quote" mail
Resource DevelopmentT1608.001 Stage Capabilities: Upload MalwarePayload uploaded to Google Drive
Command & ControlT1102 Web ServiceTrusted cloud (Google Drive) abused for distribution
ExecutionT1059.001 PowerShellHidden -enc PowerShell
ExecutionT1204.002 Malicious FileUser opening the JAR
Defense EvasionT1027 Obfuscated/EncryptedStringer v9 + Allatori + AES/RC4 layers
Defense EvasionT1140 Deobfuscate/Decode3-stage in-memory decryption
Defense EvasionT1497 Virtualization/Sandbox EvasionGeo-fence + ping delay
Defense EvasionT1562.001 Impair DefensesAntiKill / SecTools / WinKill
PersistenceT1547.001 Registry Run KeyCurrentVersion\Run
PersistenceT1053.005 Scheduled Taskschtasks /SC ONLOGON
Privilege EscalationT1548.002 Bypass UACPowerShell -Verb RunAs
DiscoveryT1614.001 System Location Discoveryfreeipapi.com / ipinfo.io
CollectionT1113 Screen CaptureOrdenCaptura / SendTumbnail
Command & ControlT1219 Remote Access SoftwareAdwind RAT
Command & ControlT1571 Non-Standard PortTCP 10820 / 35744
ImpactT1485 / T1561 Data/Disk DestructionWinKill boot-file destruction

Infrastructure: OSINT pivot

Starting from the C2 domain, we mapped out the hosting infrastructure:

IndicatorFinding
C2 IP93.185.166.150 (93.185.166.0/23)
Hosting / ASNAlexHost Srl · AS200019 — Moldova-based, abuse-tolerant offshore hosting
C2 domain registrationNamecheap, registered March 26, 2026 (~3.5 months before the campaign); NS/MX: *.registrar-servers.com
C2 domain category"shopping" in some reputation services, "Suspicious" in others — camouflage that bypasses category filtering
Sender domain8zonetime.com — registered 2019, re-taken; now Yandex Mail (RU), no valid SPF/DKIM
Payload hostingdrive.google.com (Google Drive direct-download) — trusted-cloud abuse
Co-hosted on same IP (pivot)labuba2.farted.net (dynamic DNS — likely actor infrastructure)
Campaign contextSoupDealer — Turkey-focused, active since August 2025; this variant is new with clearnet C2

All the C2 domain's NS/MX records point to Namecheap's default forwarding infrastructure — the profile of a cheap, disposable phishing domain. The absence of a TLS certificate (crt.sh empty) is consistent with the C2 using a raw TCP socket protocol rather than HTTPS. Hosting the C2 IP at an abuse-tolerant, offshore provider like AlexHost (AS200019) is a deliberate choice that prioritizes takedown resistance.

An almost-invisible variant: VirusTotal telemetry

The most concrete evidence of how fresh this variant is comes from public multi-engine scanning. The main JAR (SHA256 e4d40008…) was first submitted to VirusTotal on July 6, 2026, 11:45 UTC — the day the mail arrived.

VT metricValue
First seenJuly 6, 2026, 11:45 UTC
Engines flagging malicious1 / 64 — only NANO-Antivirus (Exploit.Zip.Heuristic-java.csrvpr, static ZIP heuristic)
Dynamic sandboxZenbox + Zenbox Linux → "CLEAN" (97–98% confidence)
VT behavioral network IOCNone — the sandbox never triggered the C2 (evasion)
Notable behavior tagssets-process-name, detect-debug-environment, long-sleeps

Two findings are especially striking. On the static side, only one of 64 engines caught it, and only via a heuristic ZIP rule; no engine named the sample "Adwind" or "SoupDealer" — meaning signature-based detection is effectively zero. On the dynamic side, VT's sandboxes declared the sample clean, because the geo-fence and long-sleeps delays ended the analysis before triggering real behavior. That is why VT holds no "contacted domain/IP" relationship for the sample — we could surface the live C2 only through our own controlled extraction.

Detection rates change over time; this number will rise as engines add signatures. The real indicator here is less the instantaneous ratio than the fact that, on the day it was first seen, it circulated with near-zero detection and a generic label — a short but real zero-day-like window. Do not rely on signatures/AV; behavioral EDR and network detection take priority.

Methodology: extracting the live config without ever running the payload

The key to defeating this kind of multi-layered, stack-trace-locked obfuscation is not to detonate the sample, but to run its decryptor routines in a controlled way and catch the payload at the exact moment it is born. The safe extraction method the Netlore Threat Research team followed was:

  • String decryption in an emulator. Without ever touching a real OS, the Stringer v9 (2,460 strings) and Allatori (1,095 strings) layers were decrypted inside an emulator.
  • In-memory capture instrumentation. A custom Java agent hooked ClassLoader.defineClass, ByteArrayInputStream and configuration-map calls; each stage's decrypted bytes were taken to disk at exactly that point.
  • A physically network-severed sandbox. The entire chain ran inside an isolated namespace with no network access — not a single packet could leave.
  • Halting before payload init. The static initializer (<clinit>) of the real malicious classes never ran; the process was terminated the instant the decrypted bytes were captured.

The result: without any execution risk, the live and verified command-and-control infrastructure of this specific variant of the campaign.

Detection and response recommendations

  • Block: block gocebekuslar.store and 93.185.166.150 at the DNS and firewall layers; monitor and stop outbound TCP 10820 and 35744 traffic.
  • Mail layer: block the sender domain 8zonetime.com and [email protected]; enforce DMARC alignment (p=quarantine/reject) and flag senders with missing SPF/DKIM (compauth=fail). Trusted cloud domains like Google Drive must not be treated as a "whitelist"; apply CDR/sandbox based on the downloaded file type.
  • Quarantine: block the sample SHA256 in EDR/AV; quarantine .jar attachments at the mail gateway by default and .jar / .jnlp / .js files pulled from cloud-sharing links.
  • Threat hunting: javaw.exe outbound connections, freeipapi.com / ipinfo.io lookups, hidden PowerShell -EncodedCommand calls, new Registry Run keys and schtasks tasks, destructive WinKill boot-file access; executables pulled by browser/downloader processes via drive.google.com/uc?export=download.
  • Wallpaper audit: search all devices for lady_in_red-wallpaper-2560x1440.jpg (SHA256 54a795ea…); the presence of this image on a device is a direct sign of infection.
  • Awareness: give purchasing and accounting teams targeted warnings about "price quote / order / discount"-themed emails containing cloud links and about .jar, .jnlp, .js files.

Detection rules

We developed detection rules across three layers for this variant and share them as ready-to-deploy files:

  • YARA (soupdealer.yar): the stage-1 loader's Stringer fingerprint, stage-3 Adwind and this variant's C2 configuration, plus a behavioral rule that works independently of the configuration.
  • Suricata / Snort (soupdealer.rules): the gocebekuslar.store DNS query, 10820 / 35744 C2 traffic to 93.185.166.150, and the geo-check via freeipapi.com.
  • Sigma (soupdealer-sigma.yml): hidden -enc PowerShell spawned by javaw, Run / ONLOGON persistence, destructive WinKill boot-file deletion, and javaw → high-port C2 connections.

Because dropped file names are generated randomly per infection, the host-side rules rely on behavior (process ancestry, command line, target path and port) rather than fixed file names. SOC and blue teams who need these rule sets can get in touch with us.

Appendix: Indicators of Compromise (IOC)

The following indicators are extracted directly from this sample. The network indicators are high-confidence and durable; feed those to your defense tooling first.

Delivery / phishing indicators

TypeValueNote
Sender[email protected] (display name "Doğan AKTAŞ")Phishing sender — re-taken domain
Sender domain8zonetime.comRegistered 2019; now Yandex/RU mail, no SPF/DKIM
Sending IP178.154.239.95 (AS200350 Yandex.Cloud, RU)Mail sending infrastructure
Payload URLdrive.google.com/uc?export=download&id=1rZCHjstkxPxJ7RZRPmdf13aJ10Cc14lrJAR download link
Drive file ID1rZCHjstkxPxJ7RZRPmdf13aJ10Cc14lrGoogle Drive hosting
Subject…the discount rates along with the delivery timeProcurement-themed lure

File indicators

TypeValueNote
SHA256e4d40008b10183524514b7517d7d236d6d99e9b4d4f89292e9ed0983aff619bbMain JAR (stage 1)
MD540e2095555d022e6f4a3a9d12eb164afMain JAR
SHA2562412a1dfd64d0a5335f14fe48f920bc248b6c903126c8b6b89b02e4feaea72bdStart.class (stage 2)
SHA25654a795eab5bf70900545596dd7e6da823963d12acc967e4166087f1b5c6b794cdecoy image (lady_in_red…jpg)
Filename06.07.2026 FİYAT TEKLİFİ BEKLENEN ÜRÜNLER1.jarEmail attachment / lure
Resource962Embedded AES payload (1.05 MB)
Decoylady_in_red-wallpaper-2560x1440.jpgSize padding + post-infection desktop wallpaper

Network indicators — high priority

TypeValueRole
Domaingocebekuslar.storeC2 (control + upload)
IPv493.185.166.150C2 resolution
Port10820/tcpControl channel (DNS)
Port35744/tcpUpload channel
Geo-checkfreeipapi.com · ipinfo.ioGeo-targeting (TR only)
Downloaddist.torproject.org/torbrowser/TOR component download
ASN / HostingAlexHost Srl · AS200019 (Moldova, offshore)C2 hosting
RegistrarNamecheap (*.registrar-servers.com)Domain registration
Co-host (pivot)labuba2.farted.netDynamic DNS on the same IP

Host and configuration indicators

KeyValue
RAT family / versionAdwind (jRAT/AlienSpy) 7.4.2.0.F.6 · ENCVER GEN.2.1.3
LoaderSoupDealer (Stringer v9 + Allatori)
Config password04d3978c339e5601d4eb7411946b691c746a6438
Campaign prefixSPAM
PersistenceRegistry Run (STARTUP_TYPE=REGEDIT) · schtasks ONLOGON
Manifest signatureProtected-By: 9.0.9 Stringer

Quick block list

gocebekuslar.store
93.185.166.150
8zonetime.com
[email protected]
178.154.239.95
drive.google.com/uc?export=download&id=1rZCHjstkxPxJ7RZRPmdf13aJ10Cc14lr
e4d40008b10183524514b7517d7d236d6d99e9b4d4f89292e9ed0983aff619bb
40e2095555d022e6f4a3a9d12eb164af
2412a1dfd64d0a5335f14fe48f920bc248b6c903126c8b6b89b02e4feaea72bd

This analysis was performed by the Netlore Security Threat Research team on a real sample that reached a SOC customer, on July 6, 2026. All sample handling took place in a network-isolated, controlled lab environment. TLP:CLEAR — indicators may be shared freely. This content is for defensive and informational purposes only.

Tags:Malware AnaliziAdwindSoupDealerJava RATjRATAlienSpyC2IOCPhishingTehdit İstihbaratı

Need Cybersecurity Consulting?

Our expert team provides comprehensive cybersecurity services to secure your corporate infrastructure. Contact us for detailed information about penetration testing, security audits, and consulting services.

Contact Us

Cookie Usage

We use cookies to improve your experience on our website. By continuing, you accept the use of cookies.

Cookie Policy