In late 2020, a Chinese threat actor known as Sharp Panda began targeting high-profile government entities in Southeast Asia in a cyber espionage campaign. This campaign marks a departure from the group's attack chains observed in 2021, as it is characterized by the use of a new version of the Soul modular framework. Israeli cybersecurity company Check Point has described the campaign as "long-running" and said that it has historically singled out countries such as Vietnam, Thailand, and Indonesia.
Broadcom's Symantec division first documented the use of the Soul backdoor in October 2021 in connection to an unattributed espionage operation targeting defense, healthcare, and ICT sectors in Southeast Asia. Fortinet FortiGuard Labs later determined that the malware dates back to October 2017, when it was repurposing code from Gh0st RAT and other publicly available tools.
Check Point's research shows that the attack chain begins with a spear-phishing email containing a lure document that leverages the Royal Road Rich Text Format (RTF) weaponizer to drop a downloader by exploiting one of several vulnerabilities in the Microsoft Equation Editor.