Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 5 actors

SoftEther VPN

SoftEther VPN is an open-source VPN software suite that threat actors repeatedly abuse as a legitimate remote-access tool for stealthy communications, persistence, and bypassing network restrictions. The provided reporting describes use of SoftEther VPN clients and SoftEther VPN Bridge by multiple China-linked espionage clusters, including CL-STA-0048, UNC2814, UAT-7237, Flax Typhoon, and GALLIUM/Red Dev 4. Observed tradecraft includes delivery of SoftEther VPN clients configured to connect to attacker-controlled infrastructure; deployment of SoftEther VPN Bridge to create encrypted outbound connections; and installation of renamed binaries for defense evasion and persistence, including conhost.exe in C:\Windows\SysWOW64, oracll.exe, and bridge.exe in System32. In one reported case, attackers created a service named SysBridge to auto-start the renamed SoftEther binary at reboot, and the process established outbound HTTPS connections to an attacker-controlled IP on port 443 to create a covert VPN channel. UAT-7237 reportedly used SoftEther VPN alongside RDP for persistent access to compromised Taiwanese web-hosting infrastructure, with observed SoftEther-related infrastructure spanning roughly September 2022 through December 2024 and Simplified Chinese configured as the preferred display language. Flax Typhoon used a renamed SoftEther executable to maintain covert access after compromising an ArcGIS environment, while Red Dev 4/GALLIUM used SoftEther VPN clients to maintain footholds in telecommunications victims. Across the cited incidents, SoftEther VPN is associated with long-term persistence, covert remote administration, and lateral-enablement in victim environments, especially in telecommunications, government, web infrastructure, and other high-value networks.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Red Dev 4

We will discuss some of the recent techniques we’ve seen Red Dev 4 use to maintain footholds within victim environments, such as the delivery of SoftEther VPN clients configured to connect to threat actor-owned infrastructure.

via trooperstroopers.de
GALLIUM

We will discuss some of the recent techniques we’ve seen Red Dev 4 use to maintain footholds within victim environments, such as the delivery of SoftEther VPN clients configured to connect to threat actor-owned infrastructure.

via trooperstroopers.de
UAT-7237

...deploying the SoftEther VPN software for remote access.

via security weeksecurityweek.com
Flax Typhoon

"We also identified a SoftEther VPN binary placed at C:\Windows\SysWOW64\conhost.exe..."

via checkpoint research blogresearch.checkpoint.com
UNC2814

"...and deployed SoftEther VPN Bridge to create an encrypted outbound connection."

via security affairssecurityaffairs.com
MITRE ATT&CK

Techniques & procedures

16 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

2 techniques
T1583.003Virtual Private ServerEvidence1

Webworm makes use of SoftEther VPN servers that have been seen hosted on Vultr cloud services.

T1608.002Upload ToolEvidence1

Webworm staged tools in its GitHub repo for direct download onto compromised systems.

Initial Access

1 technique
T1133External Remote ServicesEvidence9

building VPN servers on compromised public-facing servers to establish access into the private network of victims

Execution

2 techniques
T1059.003Windows Command ShellEvidence1

The threat actor installs the SoftEther VPN on compromised public-facing servers and uses certutil commands to download and install the SoftEther VPN server.

T1569.002Service ExecutionEvidence1

The threat actor installs the SoftEther VPN on compromised public-facing servers... With the VPN server installed, the actor can then connect to the victim’s network to conduct their post-exploitation movements.

Persistence

3 techniques
T1133External Remote ServicesEvidence9

building VPN servers on compromised public-facing servers to establish access into the private network of victims

T1543.003Windows ServiceEvidence1

The threat actor installs the SoftEther VPN on compromised public-facing servers...

T1547.001Registry Run Keys / Startup FolderEvidence1

"Detect the activity of a SoftEther VPN binary by detecting registry modifications... '...\\CurrentVersion\\Run\\...SoftEther...'"

Privilege Escalation

2 techniques
T1543.003Windows ServiceEvidence1

The threat actor installs the SoftEther VPN on compromised public-facing servers...

T1547.001Registry Run Keys / Startup FolderEvidence1

"Detect the activity of a SoftEther VPN binary by detecting registry modifications... '...\\CurrentVersion\\Run\\...SoftEther...'"

Stealth

2 techniques
T1036MasqueradingEvidence3

the use of a GitHub repository impersonating a WordPress fork ("github[.]com/anjsdgasdf/WordPress") as a staging ground for malware and tools like SoftEther VPN in an effort to blend in and fly under the radar.

T1036.005Match Legitimate Resource Name or LocationEvidence2

The SoftEther server executable is renamed to either taskllst.exe, tasklist.exe, or tasklist_32.exe for the Windows executable and curl for the Linux executable to make it look like a legitimate file on the installed system.

Lateral Movement

2 techniques
T1021Remote ServicesEvidence1

UAT-7237 exploits unpatched servers for initial access, then performs rapid reconnaissance using commands like nslookup, systeminfo, and ping before establishing persistence via SoftEther VPN and RDP rather than web shells.

T1210Exploitation of Remote ServicesEvidence1

building VPN servers on compromised public-facing servers to establish access into the private network of victims and performing brute-force attacks to obtain email credentials.

Command and Control

5 techniques
T1090ProxyEvidence3

The threat sideloaded the malicious DLLs to the legitimate binaries to load Stowaway, a multi-hop proxy tool... After failing to load the malicious DLLs, the threat actor tried to use another tool for the same purpose: iox, a port forward and intranet proxy tool.

T1090.002External ProxyEvidence1

Furthermore, we observed UAT-8302 deploying the SoftEther VPN clients as well

T1105Ingress Tool TransferEvidence3

The threat actor abused certutil to download the PlugX component from a remote domain... Once the threat actor gained a foothold inside the network, they attempted to upload additional tools.

T1219Remote Access ToolsEvidence1

In addition to these malware families, GALLIUM has been observed employing SoftEther VPN software to facilitate access and maintain persistence to a target network. By installing SoftEther on internal systems, GALLIUM is able to connect through that system as though they are on the internal network of the target.

T1572Protocol TunnelingEvidence3

building VPN servers on compromised public-facing servers to establish access into the private network of victims

INDICATORS OF COMPROMISE

IOCs tracked for this family

3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
1 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
1 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other
1 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
hash.sha256●●●●●●●●●●●●View more in app2 months ago
ip.v4●●●●●●●●●●●●View more in app2 months ago
uri●●●●●●●●●●●●View more in app2 months ago
ACTIVITY FEED

Recent activity

11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

11 SOURCESView more in app
security affairsNews
Feb 26, 2026
Google GTIG disrupted China-linked APT UNC2814 halting attacks on 53 orgs in 42 countries

Legitimate VPN software abused post-compromise to establish an encrypted outbound connection (tunneling) from victim environments.

Read more
checkpoint research blogNews
Feb 23, 2026
2025: The Untold Stories of Check Point Research - Check Point Research

Legitimate VPN software abused/installed by attackers for remote access and persistence (noted masquerading as conhost.exe).

Read more
checkpoint research blogNews
Feb 23, 2026
2025: The Untold Stories of Check Point Research - Check Point Research

Legitimate VPN software deployed/abused to provide remote access and persistence (noted in an intrusion linked by vendors to Flax Typhoon).

Read more
the hacker newsNews
Oct 14, 2025
Chinese Hackers Exploit ArcGIS Server as Backdoor for Over a Year

SoftEther VPN, in this context, is a legitimate VPN software repurposed by attackers as a backdoor. By renaming and installing it as 'bridge.exe', attackers establish a covert VPN tunnel to maintain persistent, stealthy access to the compromised network.

Read more
+7 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching3

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution5

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping16

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.