VERY IMPORTANT

A threat report published by Symantec in October 2021 recently caught Fortinet's attention. It discusses an unknown threat actor conducting an espionage campaign in Southeast Asia using a new custom malware arsenal. What piqued Fortinet's curiosity most was the mention of a DLL payload loaded from the registry that had yet to be discovered. The module is stored as a compressed blob with a custom header in the registry. It is never written to disk, rendering it unlikely to appear in datasets like VirusTotal. Fortinet's have now uncovered a sample of the module and a plethora of components and variants dating as far back as 2017. They have observed the progression of the development of this malware throughout the years. Over time, custom code was added, components were upgraded, capabilities expanded, the code became neater, and modularity increased. This blog examines the different components of this malware and their progression over time, thereby mapping the evolution of the Soul malware framework.