Introduction

In early August 2025, cybersecurity teams in Türkiye uncovered a new Java-based malware loader named SoupDealer. This malware managed to evade detection by all public sandboxes, antivirus solutions, and enterprise EDR/XDR platforms. It was part of a phishing campaign targeting Turkish users, distributing a three-stage loader via files named 'TEKLIFALINACAKURUNLER.jar'.