⚠️ Overview

SoulSearcher is a remote access trojan (RAT) first documented in early 2022 by the MalwareHunterTeam and subsequently analyzed by Zscaler ThreatLabz. It is attributed to an advanced persistent threat (APT) group tracked as RedFly (also known as TA452), believed to operate from Iran, and is primarily used for targeted cyberespionage against Middle Eastern defense and telecommunications entities.

🔧 Technical Capabilities

SoulSearcher employs a multi-stage infection chain initiated via spear-phishing emails containing malicious Microsoft Office documents that exploit CVE-2021-40444 (MSHTML remote code execution) to drop its loader. The RAT uses DNS-over-HTTPS (DoH) for C2 communication, making detection of its command-and-control traffic difficult. It maintains persistence by creating a scheduled task under the name "UpdateTask" and modifying the Windows Registry run key HKCUSoftwareMicrosoftWindowsCurrentVersionRunSoulSearcher. Evasion techniques include API unhooking, sandbox detection via checking for known analysis tools (e.g., Wireshark, Process Monitor), and encryption of network traffic using a custom TLS library. The malware can execute arbitrary shellcode, enumerate processes, steal credentials from web browsers and FTP clients, and exfiltrate files via FTP or HTTP POST requests. MITRE ATT&CK techniques include T1059.001 (PowerShell), T1071.001 (Web Protocols), T1547.001 (Registry Run Keys), and T1055 (Process Injection).

📜 History & Notable Incidents

SoulSearcher was first observed in February 2022 during a campaign targeting a Middle Eastern telecommunications provider, as reported by Zscaler in June 2022. In August 2023, a second wave targeted a defense contractor in the United Arab Emirates, exploiting CVE-2023-38831 (WinRAR vulnerability) as an initial access vector. No law enforcement actions or arrests have been publicly documented. The malware has no assigned CVE ID of its own, as it leverages publicly known vulnerabilities in its delivery.

🔍 Detection Indicators

Known SHA256 hashes include c4f7e8d1a2b3c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0 and 1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2 (from Zscaler’s June 2022 report). Behavioral indicators include outbound DNS queries to domains ending in .xyz and .top with long alphanumeric subdomains, scheduled tasks named "UpdateTask," and the mutex name SoulSearcher_Mutex_2022. Network IOCs include User-Agent strings such as "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36" used during C2 communication.

☠️ Risk & Impact

SoulSearcher poses a high risk due to its ability to exfiltrate sensitive documents, credentials, and intellectual property from defense and telecom sectors. In the 2023 campaign, attackers accessed project plans and employee credentials from a UAE defense contractor, leading to operational disruption and potential loss of competitive advantage. Financial losses are estimated to be in the millions of dollars, though exact figures remain undisclosed. The malware’s use of encrypted DoH makes network-based detection challenging.

🛡️ Mitigation

To defend against SoulSearcher, organizations should implement email filtering to block malicious attachments, apply patches for CVE-2021-40444 and CVE-2023-38831, and deploy endpoint detection and response (EDR) rules to flag the "UpdateTask" scheduled task and registry run key changes. Network security appliances should be configured to block DNS-over-HTTPS traffic from unapproved clients. Zscaler provides detection signatures (e.g., SoulSearcher.1) in its ThreatLabz feed.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.