Prevent undetectable malware and 0-day exploits with AppGuard!

SoupDealer Malware Bypasses AV and EDR - Why Isolation Matters Now

Tony Chiappetta
by Tony Chiappetta
August 15, 2025

In early August 2025, a novel and alarmingly evasive threat emerged in Türkiye: the Java-based loader SoupDealer, which successfully bypassed virtually every public sandbox, antivirus, and enterprise EDR/XDR solution in real-world attacks (cybersecuritynews.com).

How SoupDealer Works:

  • Delivered via a spear-phishing campaign using a three-stage .jar file that first confirms the victim is running Windows in Turkish and located in Türkiye.

  • It employs custom classloaders to decrypt and load payloads directly in memory - completely avoiding disk artifacts and undermining static and dynamic analysis.

  • Each stage uses layered encryption - AES-ECB then RC4 - along with junk code and string obfuscation to evade heuristic detection.

  • Once inside, it downloads Tor, sets up persistent tasks (via Windows Task Scheduler and registry Run entries), and eventually deploys the Adwind backdoor with an onion-routed C2 channel.

What This Means for Business Security

SoupDealer’s ability to evade every sandbox, antivirus, and EDR/XDR platform is a stark warning: traditional Detect and Respond strategies - relying on recognition of known patterns or behaviors - are no longer sufficient. Sophisticated threats like this can evade detection entirely or operate silently until it’s too late.

From Detect & Respond to Isolation & Containment

Here’s why Isolation and Containment - like what AppGuard offers - is critical:

  • Stops attacks at the source: Instead of waiting to detect malicious behavior, isolation prohibits unknown or untrusted code from interacting with critical systems in the first place.

  • Blocks in-memory and living-off-the-land techniques: Even if malware executes in memory or uses legitimate tools, isolation keeps it from escalating or spreading.

  • Minimizes dependency on detection signatures: With AppGuard’s policy-based controls, even unknown threats are automatically contained without needing prior identification.

  • Proven track record: AppGuard has successfully protected endpoints for more than a decade - preventing malware execution in the wild - and is now available for commercial deployments.

Why Business Owners Should Act Now

Let SoupDealer be the warning your business heeds, not the incident you respond to.

  • Relying solely on detection is reactive, leaving gaps exploited by advanced threats.

  • AppGuard’s isolation approach proactively neutralizes threats before malicious code can execute or persist.

  • It’s built, tested, and trusted - protecting critical systems with minimal disruption.

Ready to move beyond detection?
Talk to us at CHIPS about how AppGuard can transform your security posture today. Let’s shift your strategy from “Detect and Respond” to “Isolation and Containment” and keep threats like SoupDealer out of your network before they ever start.

Like this article? Please share it with others!

 
Tags:
AppGuard, 0-day, Ransomware
Tony Chiappetta
Post by Tony Chiappetta
August 15, 2025
Follow me on my website Follow me on LinkedIn

Comments
How You Can Achieve Zero Trust Protection on an Endpoint

How You Can Achieve Zero Trust Protection on an Endpoint

Some IT Professionals say Zero Trust is impossible to implement however, the US Federal Government has been using these principles for decades.  Download our White Paper to learn how to fully secure your computers.