New malware variant has “radio silence” mode to evade detection

Hacker shhhing

The Sharp Panda cyber-espionage hacking group is targeting high-profile government entities in Vietnam, Thailand, and Indonesia with a new version of the ‘Soul’ malware framework.

The particular malware was previously seen in espionage campaigns targeting critical Southeast Asian organizations, attributed to various Chinese APTs.

Check Point identified a new campaign using the malware that started in late 2022 and continues through 2023, employing spear-phishing attacks for initial compromise.

The use of the RoyalRoad RTF kit, C2 server addresses, and the hacker’s working hours allowed Check Point to attribute the latest espionage operation to state-backed Chinese hackers. The TTPs and tools are consistent with previously seen activities by Sharp Panda.

Infection chain

The new Sharp Panda campaign uses spear-phishing emails with malicious DOCX file attachments that deploy the RoyalRoad RTF kit to attempt to exploit older vulnerabilities to drop malware on the host.

In this case, the exploit creates a scheduled task and then drops and executes a DLL malware downloader, which in turn fetches and executes a second DLL from the C2 server, the SoulSearcher loader.

This second DLL creates a registry key with a value that contains the final compressed payload and then decrypts and loads the Soul modular backdoor into memory, helping it evade detection from antivirus tools running on the breached system.

Infection chainInfection chain (Check Point)

Soul details

Upon execution, the main module of the Soul malware establishes a connection with the C2 and waits for additional modules that will extend its functionality.

The new version analyzed by Check Point features a “radio silence” mode which allows the threat actors to specify the specific hours of the week that the backdoor should not communicate with the command and control server, likely to evade detection during the victim’s working hours.

“This is an advanced OpSec feature that allows the actors to blend their communication flow into general traffic and decrease the chances of network communication being detected.” explained Check Point.

Main backdoor configurationMain backdoor configuration (Check Point)

Moreover, the new variant implements a custom C2 communication protocol that uses various HTTP request methods, including GET, POST, and DELETE.

Support for multiple HTTP methods gives the malware flexibility, as GET is used for retrieving data, POST for submitting data.

Soul’s communication with the C2 begins by registering itself and sending victim fingerprinting data (hardware details, OS type, time zone, IP address), after which it enters an infinite C2 contacting loop.

Victim enumeration dataVictim enumeration data (Check Point)

The commands it may receive during these communications concern loading additional modules, collecting and resending enumeration data, restarting the C2 communication, or exiting its process.

Commands supported by SoulCommands supported by Soul (Check Point)

Check Point did not sample additional modules that might perform more specialized functions such as file actions, data exfiltration, keylogging, screenshot capturing, etc.

The Soul framework was first seen in the wild in 2017 and subsequently tracked throughout 2019 in Chinese espionage campaigns conducted by threat actors with no obvious links to Sharp Panda.

Despite the overlaps in the use of the tool, Check Point’s recent findings show that Soul is still under active development and deployment.


  • WhatTheActual Photo WhatTheActual – 1 day ago

    What ever happened to .DOCX files not allowing VBA macros? I thought that required a .DOCM? Microsoft needs to get on that.

  • NoneRain Photo NoneRain – 1 day ago

    I think the RoyalRoad exploit old vulnerabilities on Word (like CVE-2018-0798) using RTF stack buffer overflow. Any updated system/software would not be vulnerable to it.
    I bet attackers know well that security is overlooked and not so well financed at those countries’ government agencies.

  • Malwarebytes Anti-Malware Logo

    Malwarebytes Anti-Malware

    Version: 4.5.23 4M+ Downloads

  • AdwCleaner Logo


    Version: 56M+ Downloads

  • Windows Repair (All In One) Logo

    Windows Repair (All In One)

    Version: 4.13.1 2M+ Downloads

  • Everything Desktop Search Logo

    Everything Desktop Search

    Version: 22,358 Downloads

  • Zemana AntiLogger Free Logo

    Zemana AntiLogger Free

    Version: 53,105 Downloads


Related posts

Windows admins warned to patch critical MSMQ QueueJumper bug

Sarah Henriquez

US seizes $112 million from cryptocurrency investment scammers

Sarah Henriquez

See Tickets discloses 2.5 years-long credit card theft breach

Sarah Henriquez

Leave a Comment