In live incidents, SoupDealer bypassed host‐based antivirus checks by confirming no security products were active before proceeding.

That’s a pretty narrow victim demographic. Windows has Defender enabled out of the box. I don’t see any investigation on the C2 connection, either, so I’m left wondering who the attacked and intended targets are.

Yikes 😬

Why would somebody only target machines in Turkey?