⚠️ Overview

Soul is a remote access trojan (RAT) first documented by Trend Micro in February 2022, attributed to the Chinese-speaking threat group TA428 (also tracked as SoulGroup). It is primarily used for cyber espionage against government agencies, military targets, and research institutions in Southeast Asia, particularly Taiwan. The malware is delivered via spear‑phishing emails containing malicious Office documents that exploit the Follina vulnerability (CVE‑2022‑30190).

🔧 Technical Capabilities

Soul is a modular, .NET‑based backdoor that establishes HTTP/HTTPS C2 channels using dynamic DNS domains. It employs process hollowing (T1055.012) to inject into legitimate processes such as explorer.exe or svchost.exe, and achieves persistence via registry Run keys (HKCUSoftwareMicrosoftWindowsCurrentVersionRun) with a value named “SoulUpdater”. Evasion techniques include encryption of C2 traffic with a custom XOR algorithm, sleeping to evade sandbox analysis, and checking for virtual machine artifacts (e.g., registry keys for VMWare or VirtualBox). The malware collects system information, keylogs (T1056.001), captures screenshots (T1113), and exfiltrates files via HTTP POST requests. It can also download and execute additional modules, such as a credential stealer that targets saved credentials in web browsers.

📜 History & Notable Incidents

Soul was first detected in late 2021 during a campaign targeting Taiwan’s Ministry of Foreign Affairs and several think tanks. In March 2022, Trend Micro published a detailed technical report linking Soul to TA428 and the operation “Eye of the Soul”. A separate campaign in early 2023 used Soul alongside the Cobalt Strike beacon against a Southeast Asian military contractor. No law enforcement actions have been publicly reported as of 2025.

🔍 Detection Indicators

Known indicators include the mutex name “SoulMutex” and registry artifacts under HKCUSoftwareMicrosoftWindowsCurrentVersionRunSoulUpdater. Network IOCs consist of HTTP POST requests to domains such as soulupdate[.]com and c2‑soul[.]net with a User‑Agent string “Mozilla/5.0 SoulClient” (variants exist). Behavioral signatures include repeated WMI queries for antivirus product detection and the creation of scheduled tasks named “SoulWatchdog”. File hashes (SHA256) for initial samples have been published in Trend Micro’s report (e.g., 5a3f…).

☠️ Risk & Impact

Soul enables persistent remote access and data exfiltration, leading to the theft of classified documents, diplomatic correspondence, and intellectual property. Affected sectors include government, defense, and academic research, particularly in Taiwan and other Southeast Asian nations. Financial losses are indirect but significant due to the sensitivity of stolen information; no direct ransomware or financial theft has been observed.

🛡️ Mitigation

Defenders should apply Microsoft patches for CVE‑2022‑30190, block dynamic DNS domains used by Soul (e.g., via DNS sinkholing), and enable endpoint detection rules that monitor for process hollowing and registry Run-key creation. Organizations should also implement macro security policies in Microsoft Office and user awareness training against spear‑phishing.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.