Go to listing page

Sharp Panda Targets Southeast Asian Governments Using Evolved Soul Malware Framework

Sharp Panda Targets Southeast Asian Governments Using Evolved Soul Malware Framework
A new cyberespionage campaign has been detected targeting strategic infrastructure projects in Southeast Asian organizations. Based on the tools and TTPs used, experts have linked it to the Chinese APT group Sharp Panda.

What has been detected?

According to a Check Point report, the campaign has been active since late 2022 and targets government organizations in Vietnam, Indonesia, and Thailand.
  • It uses spear-phishing emails for initial access, carrying malicious documents with government-themed lures. It further deploys the RoyalRoad RTF kit, allowing attackers to exploit older vulnerabilities for further infection.
  • Once inside the target network, it downloads a module called SoulSearcher loader—a part of the Soul malware framework—that eventually loads the main module, the Soul backdoor.
  • This backdoor connects with the C2 server and waits for further instructions from the attacker about loading additional modules.

The Soul framework

The earliest samples of the Soul modular framework date back to 2017, and researchers believe that it is still evolving. This tool is not exclusive to Sharp Panda and has been used by multiple Chinese groups in the past.
  • The latest version of the Soul backdoor contains a unique OpSec feature called radio silence. It allows the attacker to specify any duration of the day or week when the malware is not allowed to communicate with the C2.
  • The attacker can configure it to keep the malware traffic in sync with the victim’s working hours, thus, reducing the chances of detection.
  • Additionally, it implements a custom protocol for C2 communications using HTTP request methods such as GET, POST, and DELETE, providing more flexibility and stealth during communications.

Ending notes

Experts consider this Sharp Panda campaign as another example of typical characteristics of Chinese APT operations, where multiple specialized groups share common goals, tactics, and custom tools. Furthermore, these threat groups are continuously enhancing the Soul malware framework to make them more efficient and stealthier. This makes it all more important for security agencies to collaborate and work together to combat such threats.
Cyware Publisher