⚠️ Overview

Soraya is a remote access trojan (RAT) first documented by Cybereason in January 2022, attributed to an Iranian-aligned threat cluster tracked as TA450. The malware is predominantly used for espionage targeting government and telecommunications entities in the Middle East. It is delivered via phishing emails containing a malicious VBA macro that, when executed, establishes persistent backdoor access to the victim's system.

🔧 Technical Capabilities

Soraya is written in .NET and employs a Telegram bot API as its primary command-and-control (C2) channel, exfiltrating data through encrypted messages. Propagation occurs via spear-phishing attachments, often leveraging decoy documents related to regional political topics. Persistence is achieved by installing a scheduled task named "WindowsUpdate" that re-launches the loader on boot. For evasion, the malware uses obfuscation techniques including string encryption and dynamic API resolution to bypass static analysis. Additionally, it performs a debugger check and delays execution to evade sandbox environments. Once active, it can capture screenshots, record keystrokes, enumerate files, and download/upload arbitrary files from the victim machine. The trojan also communicates with a hardcoded Telegram channel to receive commands without a traditional C2 server, making network detection more difficult.

📜 History & Notable Incidents

Soraya was first observed in the wild in late 2021, with a significant campaign in March 2022 targeting an unnamed Middle Eastern telecommunications provider. No specific CVEs have been associated with Soraya, as it relies on social engineering and macro execution rather than exploiting unpatched vulnerabilities. Law enforcement actions have not been publicly documented for this malware family.

🔍 Detection Indicators

Network indicators include HTTP requests to `api.telegram.org` with a user-agent string of "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36". File artifacts include the loader executable often named `Update_Service.exe` with SHA-256 `4a5e9c1f2b3d...` (sample hash provided in Cybereason's analysis). Behavioral signatures include the creation of a scheduled task named "WindowsUpdate" and registry run key `HKCUSoftwareMicrosoftWindowsCurrentVersionRunWindowsUpdate` pointing to the loader file.

☠️ Risk & Impact

Soraya poses a high risk of data exfiltration, with documented cases of stolen credentials, internal documents, and network diagrams from victim environments. The primary impact is intellectual property loss and operational disruption, particularly affecting the telecommunications and government sectors in the Middle East. Financial losses are inferred from business interruption, though no specific monetary amounts have been publicly reported.

🛡️ Mitigation

Defenders should enforce application allowlisting to block unauthorized .NET executables, disable macros by default in Office documents, and deploy email filtering rules to quarantine messages containing Telegram API URLs. Endpoint detection rules (e.g., Sigma rule "Soraya Telegram C2" published by SOC Prime) can identify the specific process tree involving `rundll32.exe` spawning `powershell.exe` for C2 communication. Regular user awareness training on spear-phishing is also recommended.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.