{ "id": "39611648-b47a-4d87-97d4-b67caecdac2c", "created_at": "2026-04-06T00:10:53.043686Z", "updated_at": "2026-04-10T13:12:58.472013Z", "deleted_at": null, "sha1_hash": "7d144b617ae7f2355cd002b1f779f13215aaead7", "title": "Taking Action Against Hackers in Pakistan and Syria", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 84558, "plain_text": "Taking Action Against Hackers in Pakistan and Syria\r\nBy isolomons\r\nPublished: 2021-11-16 · Archived: 2026-04-05 13:17:14 UTC\r\nWe took action against four distinct groups of hackers from Pakistan and Syria.\r\nThe malicious activity from Pakistan targeted people in Afghanistan.\r\nThree separate hacking groups from Syria targeted a wide range of people in Syria, including civil\r\nsociety, journalists, humanitarian organizations and the anti-regime military forces. Each of these\r\nthree hacking groups had links to the Syrian government, including Syria’s Air Force Intelligence.\r\nToday, we are sharing actions we’ve taken against four distinct groups of hackers in Pakistan and Syria over the\r\npast several months. To disrupt these malicious groups, we disabled their accounts, blocked their domains from\r\nbeing posted on our platform, shared information with our industry peers, security researchers and law\r\nenforcement, and alerted the people who we believe were targeted by these hackers.\r\nThe group from Pakistan — known in the security industry as SideCopy — targeted people who were connected\r\nto the previous Afghan government, military, and law enforcement in Kabul. In Syria, we removed three distinct\r\nhacker groups with links to the Syrian government. The first network in Syria — known as the Syrian Electronic\r\nArmy — targeted human rights activists, journalists and other groups opposing the ruling regime. We linked this\r\nactivity to Syria’s Air Force Intelligence. The second network from Syria — known in the security community as\r\nAPT-C-37 — targeted people linked to the Free Syrian Army and former military personnel who had since joined\r\nthe opposition forces. Our investigation linked this activity by APT-C-37 to what we believe is a separate unit in\r\nSyria’s Air Force Intelligence. Finally, the third network from Syria targeted minority groups, activists, opposition,\r\nKurdish journalists, activists, members of the People’s Protection Units (YPG), and Syria Civil Defense or White\r\nHelmets, a volunteer-based humanitarian organization. Our investigation found links between this activity and\r\nindividuals associated with the Syrian government.\r\nMeta’s threat intelligence analysts and security experts work to find and stop a wide range of threats including\r\ncyber espionage campaigns, influence operations and hacking of our platform by nation-state actors and other\r\ngroups. As part of these efforts, our teams routinely disrupt adversary operations by disabling them, notifying\r\nusers if they should take steps to protect their accounts, sharing our findings publicly and continuing to improve\r\nthe security of our products.\r\nHere are the details on each disruption:\r\nIn August, we removed a group of hackers from Pakistan, known in the security industry as SideCopy, that\r\ntargeted people in Afghanistan, particularly those with links to the Afghan government, military and law\r\nenforcement in Kabul. Given the ongoing crisis and the government collapse at the time, we moved quickly to\r\ncomplete the investigation and take action to protect people on our platform, share our findings with industry\r\npeers, law enforcement and researchers, and alert those who we believe were targeted. In addition, we rolled out a\r\nnumber of security measures for people in Afghanistan to protect their Facebook accounts.\r\nhttps://about.fb.com/news/2021/11/taking-action-against-hackers-in-pakistan-and-syria/\r\nPage 1 of 7\n\nThis malicious activity had the hallmarks of a well-resourced and persistent operation while obfuscating who’s\r\nbehind it. On our platform, this cyber espionage campaign ramped up between April and August of 2021 and\r\nmanifested primarily in sharing links to malicious websites hosting malware.\r\nWe identified the following tactics, techniques and procedures (TTPs) used by this threat actor across the internet,\r\nincluding on our apps (threat indicators can be found at the end of the report):\r\nThis group created fictitious personas — typically young women — as romantic lures to build trust with\r\npotential targets and trick them into clicking on phishing links or downloading malicious chat applications.\r\nThey operated fake app stores and also compromised legitimate websites to host malicious phishing pages\r\nto manipulate people into giving up their Facebook credentials.\r\nSideCopy attempted to trick people into installing trojanized chat apps (i.e. they contained malware that\r\nmisled people about its true intent), including messengers posing as Viber and Signal, or custom-made\r\nAndroid apps that contained malware to compromise devices. Among them were apps named HappyChat,\r\nHangOn, ChatOut, TrendBanter, SmartSnap, and TeleChat — some of which were in fact functioning chat\r\napplications.\r\nThese apps typically included two malware families: PJobRAT and a previously unreported Android\r\nmalware strain we are calling Mayhem. These two families have the ability to retrieve people’s contact list,\r\ntext messages, call logs, location information, media files on the device or connected external storage, and\r\ngeneral device metadata. They can also scrape content on the device’s screen via accessibility services.\r\nIn August, 2021, the group shifted to using bit[.]ly URL shortener links to mask the final destination they\r\nwere redirecting their targets to after they clicked on the malicious link.\r\n2. Syria\r\nIn October, we took down a hacking group, known in the security community as the Syrian Electronic Army\r\n(SEA) or APT-C-27, that targeted people in Syria, including humanitarian organizations, journalists and activists\r\nin Southern Syria, critics of the government, and individuals associated with the anti-regime Free Syrian Army.\r\nOur investigation found that this threat actor has been subsumed into the Syrian government forces in recent\r\nyears, with this latest activity linked to Syria’s Air Force Intelligence. On our platform, this campaign manifested\r\nprimarily in targeting people with social engineering tactics to trick them into clicking on links or downloading\r\nmalicious software.\r\nWe identified the following TTPs used by this threat actor across the internet, including on our apps (threat\r\nindicators can be found at the end of the report):\r\nThis group shared phishing links to lead people to either websites hosting credential phishing pages or\r\nmalware. The phishing campaigns were designed to manipulate their targets into giving away their\r\ncredentials to Facebook accounts.\r\nThey used a combination of commercially available (e.g., HWorm/njRAT for Windows) and custom-built\r\nmalware families (e.g., HmzaRat Desktop for Windows and SilverHawk aka HmzaRAT for Android). For\r\nexample, they deployed Android malware as part of trojanized applications, including those named the\r\nhttps://about.fb.com/news/2021/11/taking-action-against-hackers-in-pakistan-and-syria/\r\nPage 2 of 7\n\nUnited Nations, VPN Secure and several popular chat apps like Telegram — all hosted on attacker-controlled websites.\r\nThis group also used new Android malware built with the open-source mobile app development tool\r\nXamarin and, as of now, it’s only being detected by one anti-virus engine in public virus repositories. We\r\nfound this malware in trojanized versions of Telegram and a Syrian news app, that are being distributed\r\nexclusively through phishing websites hosted on the Vercel cloud platform.\r\nThe malware families SEA relied on are capable of collecting a range of sensitive user information, once\r\nthe device is compromised, including the ability to record audio and video, edit or retrieve files, call logs,\r\naddress book, and text messages.\r\n3. Syria\r\nIn October, we took down a hacking group, known in the security community as APT-C-37, that targeted people\r\nlinked to the Free Syrian Army and former military personnel who had since joined the opposition forces. Our\r\ninvestigation linked this activity by APT-C-37 to what we believe is a separate unit in Syria’s Air Force\r\nIntelligence. This operation on our platform involved social engineering tactics to trick people into clicking on\r\nlinks to malicious websites hosting malware or credential phishing campaigns aimed at obtaining access to\r\npeople’s Facebook accounts.\r\nWe identified the following TTPs used by this threat actor across the internet, including on our apps (threat\r\nindicators can be found at the end of the report):\r\nAPT-C-37 has continued to use commodity malware known as SandroRAT in addition to an Android\r\nmalware family known as SSLove, likely developed in-house.\r\nThis group relied on social engineering to distribute malware to manipulate their targets into visiting\r\nattacker-controlled websites. Some of these sites focused on content about Islam, others masqueraded as\r\nlegitimate app stores or used look-alike domains posing as popular services, including Telegram,\r\nFacebook, YouTube, and WhatsApp.\r\nAPT-C-37 relied on Android malware with common malicious functionality to retrieve sensitive user data,\r\nincluding call logs, contact information, device information, user accounts, take photos, and retrieve\r\nattacker specified files.\r\n4. Syria\r\nWe took down a hacking group that targeted minority groups; activists; opposition in Southern Syria, including in\r\nSweida, Huran, Qunaitra and Daraa; Kurdish journalists, activists in Northern Syria, including Kamishl, Kubbani,\r\nManbij, and Al-Hasakah; members of the People’s Protection Units (YPG); and Syria Civil Defense (the White\r\nHelmets, a volunteer-based humanitarian organization). Our investigation found links between this activity and\r\nindividuals associated with the Syrian government. On our platform, this operation manifested primarily as social\r\nengineering and sharing links to malicious websites.\r\nWe identified the following TTPs used by this threat actor across the internet, including on our apps (threat\r\nindicators can be found at the end of the report):\r\nhttps://about.fb.com/news/2021/11/taking-action-against-hackers-in-pakistan-and-syria/\r\nPage 3 of 7\n\nThis group shared links to attacker-controlled websites hosting Android malware masquerading as apps and\r\nupdates themed around the United Nations, White Helmets, YPG, Syrian satellite TV, COVID-19,\r\nWhatsApp and YouTube.\r\nLikely due to this operation’s reliance on commercially available malware, this group has not been\r\nseparately tracked by the security community. While this likely limited their effectiveness thanks to the\r\nexisting anti-virus detection aimed at these commodity tools, it has also perhaps allowed them to hide in\r\nthe noise.\r\nAmong the commodity Android malware this group used: SpyNote and SpyMax.\r\nThreat Indicators\r\n1. Pakistan\r\nDomains \u0026 C2s:\r\nDomain Description\r\nandroappstore[.]com Hosting PJobRAT and Mayhem\r\nwww[.]apphububstore[.]in Hosting PJobRAT\r\nappsstore[.]in Hosting PJobRAT\r\napkstore.filehubspot[.]com Believed to be hosting PJobRAT\r\nhelloworld.bounceme[.]net Command and control server for PJobRAT\r\ndasvidaniya.ddns[.]net Command and control server for PJobRAT\r\ngemtool.sytes[.]net Command and control server for PJobRAT\r\nsaahas.servecounterstrike[.]com Command and control server for Mayhem\r\nHashes:\r\nMD5 Description Malware Family\r\n7804aa608d73e7a9447ae177c31856fe ViberLite v4 PJobRAT\r\na80a1b022fdcaa171e454086711dcf35 ViberLite v3 PJobRAT\r\na4f104e2058261c7dbfc1c69e1de8bce ViberLite v2 PJobRAT\r\n4ce92da8928a8d1d72289d126a9fe2f4 HangOn V4e PJobRAT\r\na53c74fa923edce0fa5919d11f945bcc HangOn v4 PJobRAT\r\n9fd4b37cbaf0d44795319977118d439d HangOn PJobRAT\r\nhttps://about.fb.com/news/2021/11/taking-action-against-hackers-in-pakistan-and-syria/\r\nPage 4 of 7\n\n7bef7a2a6ba1b2aceb84ff3adb5db8b3 TrendBanter PJobRAT\r\nv21b4327d6881be1893fd2a8431317f6b Happy Chat Mayhem\r\n2. SEA / APT-C-27\r\nDomains \u0026 C2s:\r\nDomain / IP Description\r\nfaccebookaccunt[.]blogspot[.]com Credential phishing\r\nruba-bakkour-facebook[.]blogspot[.]com\r\nCredential phishing\r\nchatsafe[.]tecnova.com[.]br Distribution of SilverHawk in 2020\r\ndownload-telegram.vercel[.]app\r\nUsed by SEA affiliated individuals to distribute a new unnamed\r\nAndroid family\r\ndownload-revo.vercel[.]app\r\nUsed by SEA affiliated individuals to distribute a new unnamed\r\nAndroid family\r\n82.137.218[.]185\r\nCommand and control server. Used to distribute a variety of\r\ncommodity and custom Android malware.\r\nHashes:\r\nMD5 Description Malware Family\r\ndf196bd42e1da1d34c23c8d947561618 Fake version of Telegram Unnamed\r\nccabc8f4868184a04b032b34d9303810 Trojanized Syrian News app Unnamed\r\n3. APT-C-37\r\nDomains \u0026 C2s:\r\nDomain / IP Description\r\n82.137.255[.]0 Long running command and control server\r\nHashes:\r\nMD5 Description Malware Family\r\nhttps://about.fb.com/news/2021/11/taking-action-against-hackers-in-pakistan-and-syria/\r\nPage 5 of 7\n\n969fe5597a44bf4eb66ebdc7b09ef2c8 Fake version of WhatsApp SSLove\r\n4. Unnamed Cluster\r\nDomains \u0026 C2s:\r\nDomain / IP Description\r\nf-b[.]today Hosting SpyMax\r\nmessengers[.]video Hosting SpyMax\r\nwhatsapp-sy[.]com Hosting SpyMax\r\nhoran-free[.]com Believed to have been hosting SpyMax\r\ndruze[.]life Believed to have been hosting SpyMax\r\nsuwayda-24[.]com Believed to have been hosting SpyMax\r\nt-me[.]link Believed to have been hosting SpyMax\r\nlamat-horan[.]com Hosting unnamed Android malware\r\nanti-corona[.]app Believed to have been hosting SpyMax\r\nwhat-sapp[.]site Believed to have been hosting SpyMax\r\ninformnapalm[.]net\r\nHosting trojanized apps for the YPG, Syrian Civil Defense, and malware\r\npretending to be an update for WhatsApp.\r\nfacebook-helps-center[.]comOlder infrastructure hosting SpyMax malware pretending to be a WhatsApp\r\nupdate.\r\n46.4.83[.]140 Command and control server\r\nsputniknews[.]news Believed to be attacker controlled\r\nemmashop[.]app Believed to be attacker controlled\r\nface-book[.]xyz Believed to be attacker controlled.\r\nHashes:\r\nMD5 Description\r\nMalware\r\nFamily\r\n762acdd53eb35cd48686b72811ba9f3c Hosted on lamat-horan[.]com.\r\nFirst seen in 2019.\r\nUnnamed\r\nhttps://about.fb.com/news/2021/11/taking-action-against-hackers-in-pakistan-and-syria/\r\nPage 6 of 7\n\n0 detections on VT.\r\nfcf357556c3af14bab820810f5e94436\r\nHosted on f-b[.]today.\r\nMasquerading as a Syrian satellite TV app.\r\nSpyMax\r\ne8a528491b28e4d62a472da7396c7047\r\nHosted on f-b[.]today.\r\nMasquerading as a YouTube update.\r\nSpyMax\r\n1c16ee8b2f0dff7280e1d97522ee7e3f\r\nHosted on informnapalm[.]net.\r\nA Syria themed APK.\r\nSpyNote\r\nce274c0bd0743695529a43d7992e2d2c\r\nHosted on informnapalm[.]net.\r\nMasquerading as a WhatsApp update.\r\nSpyMax\r\n185062606b168f04b8b583045d300be5\r\nHosted on informnapalm[.]net.\r\nMasquerading as an app for the YPG.\r\nSpyMax\r\nc2e55b0d7be1c1991a5b70be7280e528\r\nHosted on informnapalm[.]net.\r\nMasquerading as an app for the Syrian Civil\r\nDefence.\r\nSpyMax\r\nSource: https://about.fb.com/news/2021/11/taking-action-against-hackers-in-pakistan-and-syria/\r\nhttps://about.fb.com/news/2021/11/taking-action-against-hackers-in-pakistan-and-syria/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://about.fb.com/news/2021/11/taking-action-against-hackers-in-pakistan-and-syria/" ], "report_names": [ "taking-action-against-hackers-in-pakistan-and-syria" ], "threat_actors": [ { "id": "187a0668-a968-4cf0-8bfd-4bc97c02f6dc", "created_at": "2022-10-27T08:27:12.955905Z", "updated_at": "2026-04-10T02:00:05.376527Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "SideCopy" ], "source_name": "MITRE:SideCopy", "tools": [ "AuTo Stealer", "Action RAT" ], "source_id": "MITRE", "reports": null }, { "id": "76fc6d92-0710-4640-bfa7-3000fe3940a5", "created_at": "2022-10-25T16:07:24.251595Z", "updated_at": "2026-04-10T02:00:04.911951Z", "deleted_at": null, "main_name": "Syrian Electronic Army (SEA)", "aliases": [ "ATK 196", "Deadeye Jackal", "Syria Malware Team", "Syrian Electronic Army", "TAG-CT2" ], "source_name": "ETDA:Syrian Electronic Army (SEA)", "tools": [ "AndoServer", "CypherRat", "SLRat", "SandroRAT", "SilverHawk", "SpyNote", "SpyNote RAT" ], "source_id": "ETDA", "reports": null }, { "id": "c2cc9aa5-1853-4de1-8849-cb3f28c7728e", "created_at": "2022-10-25T16:07:24.256045Z", "updated_at": "2026-04-10T02:00:04.912815Z", "deleted_at": null, "main_name": "Goldmouse", "aliases": [ "APT-C-27", "ATK 80", "Golden Rat", "Goldmouse" ], "source_name": "ETDA:Goldmouse", "tools": [ "Bladabindi", "GoldenRAT", "Jorik", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "2c385a7d-0217-46d8-a451-29ac6fe58aaf", "created_at": "2023-01-06T13:46:38.937468Z", "updated_at": "2026-04-10T02:00:03.151838Z", "deleted_at": null, "main_name": "APT-C-27", "aliases": [ "Golden RAT", "ATK80", "GoldMouse" ], "source_name": "MISPGALAXY:APT-C-27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0769c188-62ce-44ee-8e9d-1067f3d3c083", "created_at": "2022-10-25T16:07:24.259063Z", "updated_at": "2026-04-10T02:00:04.913621Z", "deleted_at": null, "main_name": "Pat Bear", "aliases": [ "APT-C-37", "Pat Bear", "Racquet Bear" ], "source_name": "ETDA:Pat Bear", "tools": [ "Bladabindi", "CypherRat", "DroidJack", "H-Worm", "H-Worm RAT", "Houdini", "Houdini RAT", "Hworm", "Iniduoh", "Jenxcus", "Jorik", "Kognito", "Njw0rm", "SSLove RAT", "SpyNote", "SpyNote RAT", "WSHRAT", "dinihou", "dunihi", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "a4f0e383-f447-4cd6-80e3-ffc073ed4e00", "created_at": "2023-01-06T13:46:39.30167Z", "updated_at": "2026-04-10T02:00:03.280161Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [], "source_name": "MISPGALAXY:SideCopy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b584b10a-7d54-4d05-9e21-b223563df7b8", "created_at": "2022-10-25T16:07:24.181589Z", "updated_at": "2026-04-10T02:00:04.892659Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "G1008", "Mocking Draco", "TAG-140", "UNC2269", "White Dev 55" ], "source_name": "ETDA:SideCopy", "tools": [ "ActionRAT", "AllaKore", "Allakore RAT", "AresRAT", "Bladabindi", "CetaRAT", "DetaRAT", "EpicenterRAT", "Jorik", "Lilith", "Lilith RAT", "MargulasRAT", "ReverseRAT", "njRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434253, "ts_updated_at": 1775826778, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7d144b617ae7f2355cd002b1f779f13215aaead7.pdf", "text": "https://archive.orkl.eu/7d144b617ae7f2355cd002b1f779f13215aaead7.txt", "img": "https://archive.orkl.eu/7d144b617ae7f2355cd002b1f779f13215aaead7.jpg" } }