{
	"id": "96e460af-53a2-42a7-b37b-070acb0d4a1b",
	"created_at": "2026-04-06T00:13:59.620261Z",
	"updated_at": "2026-04-10T03:20:52.077363Z",
	"deleted_at": null,
	"sha1_hash": "a687d5154b466bc7eb655cec3c81e4278ac0a82c",
	"title": "Analysis of Spyware That Helped to Compromise a Syrian Army from Within",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2027279,
	"plain_text": "Analysis of Spyware That Helped to Compromise a Syrian Army\r\nfrom Within\r\nBy mh\r\nPublished: 2025-06-05 · Archived: 2026-04-05 20:16:26 UTC\r\n7760 total views , 5 views today\r\nThe investigation into the collapse of the Assad regime reveals a significant technical dimension, particularly a\r\nspyware application named STFD-686 that was distributed among Syrian army officers via Telegram. This is a\r\nfascinating story where Android SpyMax spyware was able to exfiltrate sensitive data from solders smartphones\r\nand played a part in taking over the regime in Syria. This case demonstrates that effective smartphone espionage\r\ndoesn’t always require expensive zero-day exploits or the development of sophisticated, custom and undetected\r\nspyware. Instead, attackers can achieve significant intelligence gains using older, off-the-shelf tools like Android\r\nSpyMax—especially when combined with well-crafted phishing campaigns and social engineering. The\r\ncompromise of military through a repurposed, widely available RAT delivered via trusted channels highlights how\r\nlow-cost, high-impact cyber operations can be executed with minimal technical innovation but maximum strategic\r\neffect.\r\nIn this blog I connect more spyware apps related to this campaign found in 2023 and samples I was able to find\r\nvia public sources. The original story was published with limited technical details by New Lines Magazine. Here I\r\ntry to bring more light into its technical part.\r\nDesperation and Deception: Why Soldiers Fell for the Trap\r\nThe Syrian army, weakened by a decade of warfare and severe economic collapse, saw soldiers’ salaries plummet\r\nto barely $20 a month. This desperation led officers and soldiers to prioritize survival, fostering an environment\r\nripe for exploitation. In early summer 2024, a mobile application called STFD-686, or Syria Trust for\r\nDevelopment, began circulating among Syrian army officers. This app was designed to appear credible by\r\nleveraging the name of a familiar humanitarian organization, the Syria Trust for Development, which is overseen\r\nby Asma al-Assad. It was distributed primarily through a Telegram channel also named Syria Trust for\r\nDevelopment, and its visual deception included mirroring the official organization’s name, logo, and even\r\nmimicking its official domain (syriatrust.sy).\r\nThe lure for soldiers was the promise of monthly cash transfers of around 400,000 Syrian pounds\r\n(approximately $40). Once downloaded, the app’s initial questionnaire, swiftly escalated its data collection. In\r\nFigure 1 is visible a phishing screen that is displayed after app starts.\r\nhttps://www.mobile-hacker.com/2025/06/05/analysis-of-spyware-that-helped-to-compromise-a-syrian-army-from-within/#google_vignette\r\nPage 1 of 9\n\nFigure 1. Phishing activity\r\nIt requested crucial military intelligence: the user’s phone number, military rank, and exact service location\r\ndown to the corps, division, brigade, and battalion. This was not a mere questionnaire, but a data entry form\r\nfor military algorithms, transforming the officers’ phones into “live printers” that generated accurate battlefield\r\nmaps.\r\nWhat is SpyMax?\r\nSpyMax is an Android Remote Access Trojan (RAT) that emerged as part of the broader SpyNote malware family,\r\nfirst surfacing in underground forums around 2018. Designed to covertly infiltrate Android devices, SpyMax\r\noffers attackers full control over infected phones—enabling surveillance via camera and microphone, GPS\r\ntracking, message interception, and more. While initially sold on hacking forums, SpyMax was eventually leaked\r\nand cracked, making it freely accessible to a wider range of cybercriminals. This access led to its widespread\r\nabuse in targeted surveillance or crimeware campaigns such as:\r\nhttps://www.mobile-hacker.com/2025/06/05/analysis-of-spyware-that-helped-to-compromise-a-syrian-army-from-within/#google_vignette\r\nPage 2 of 9\n\nSpyMax Variant Targeting Chinese-Speaking Users in 2025\r\nSpyMax – An Android RAT targets Telegram Users in 2024\r\nUnknown Nation-Based Threat Actor Using Android RAT to Target Indian Defence Personnel in 2022\r\nFabricated Bank website distributes Android Spyware in 2022\r\nCommercial surveillance tools exploit COVID-19 to spread (MobiHok, SpyNote, SpyMax) in 2020\r\nOn top of that, there are also two brilliant technical SpyMax analysis that will help you understand how it works\r\nby Stratosphere Lab and ERNW.\r\nFigure 2. SpyMax control admin panel (source: https://blog.lookout.com/commercial-surveillanceware-operators-latest-to-take-advantage-of-covid-19)\r\nInitial access\r\nThe attack began with a phishing campaign targeting Syrian military personnel. A seemingly legitimate mobile\r\napplication was distributed via Telegram channel. The app was disguised as STFD-686 which encouraged users\r\nto install it voluntarily.\r\nMore apps\r\nBased on the original article, the Telegram channel was used to distribute only one spyware app using name\r\nSTFD-686. This app used two domains for communication:\r\nPhishing domain to lure user data ( syr1[.]store )\r\nC\u0026C server to download payloads and exfiltrate data ( west2[.]shop )\r\nUsing apklab.io, I was able to pivot on these domains and found four more samples that used the same domains,\r\nsimilar app names that potentially could be part of the campaign. You can see the app names below.\r\nhttps://www.mobile-hacker.com/2025/06/05/analysis-of-spyware-that-helped-to-compromise-a-syrian-army-from-within/#google_vignette\r\nPage 3 of 9\n\nFigure 3. More app samples using the same C\u0026C server\r\nOne more sample used the same C\u0026C, but instead of syr1[.]store , it tried to lure data using similar looking\r\nsyr1[.]online .\r\nFigure 4. Sample using the same C\u0026C but having different phishing website\r\nhttps://www.mobile-hacker.com/2025/06/05/analysis-of-spyware-that-helped-to-compromise-a-syrian-army-from-within/#google_vignette\r\nPage 4 of 9\n\nFigure 5. STF-5 app displaying syr1[.]online\r\nIn November 2023, Qianxin Threat Intelligence Center published technical analysis of SpyMax samples that used\r\nthe same servers for lure ( syr1[.]store ), similar app names ( syria-trust-for-development , السورية األمانة\r\nللتنمية) translated: Syrian Trust for Development)) but using different C\u0026C. Actually, these are the last two apps\r\nvisible in Figure 3.\r\nhttps://www.mobile-hacker.com/2025/06/05/analysis-of-spyware-that-helped-to-compromise-a-syrian-army-from-within/#google_vignette\r\nPage 5 of 9\n\nOnce installed, it requested a range of permissions under the guise of normal Android behavior, such as access to\r\ncontacts, messages, camera, microphone, location etc.\r\nFigure 6. Initial permission request\r\nIf allowed, spyware displays phishing screen to lure user data and sends them the server.\r\nFigure 7. User entered data being sent to syr1[.]store server\r\nDomains that spyware communicates with are hardcoded in APK resources.\r\nhttps://www.mobile-hacker.com/2025/06/05/analysis-of-spyware-that-helped-to-compromise-a-syrian-army-from-within/#google_vignette\r\nPage 6 of 9\n\nFigure 8. Hardcoded domains in APK’s resources\r\nThe main difference between SpyMax and other off-the-shelf spyware is that SpyMax doesn’t have all the\r\nmalicious functionality implemented in the main app – in this case downloaded from Telegram channel. Rather it\r\ncommunicates with C\u0026C ( west2[.]shop ) and always, when necessary, it will download it as APK or DEX\r\npayloads and dynamically loads it.\r\nFigure 9. Code responsible for dynamically loading downloaded payloads\r\nDuring this analysis, I wasn’t able to retrieve these payloads.\r\nFigure 10. C\u0026C network traffic without payload retrieval\r\nMalicious functionality\r\nhttps://www.mobile-hacker.com/2025/06/05/analysis-of-spyware-that-helped-to-compromise-a-syrian-army-from-within/#google_vignette\r\nPage 7 of 9\n\nEven though I wasn’t able to get my hands on additional payloads, SpyMax by default uses eight of them. Using\r\nall of them, SpyMax can:\r\nStream camera from device,\r\nRecord audio using microphone,\r\nTrack device location,\r\nKeylog user input,\r\nUpload and download files from the mobile device,\r\nExfiltrate SMS, contacts, installed apps, and call logs.\r\nImpact\r\nThe main purpose of using SpyMax in this espionage campaign was to provide a dynamic intelligence of the\r\nSyrian army’s operational status. By combining collected personal data with real-time surveillance capabilities,\r\nthe attackers could:\r\nIdentify officers in sensitive positions, such as battalion commanders and communications officers.\r\nConstruct live maps of force deployments, charting both strongholds and gaps in the Syrian army’s\r\ndefensive lines.\r\nAssess the real size and strength of deployed troops.\r\nAccess troop concentrations, phone conversations, text messages, sensitive documents, and maps on\r\nofficers’ devices.\r\nConclusion\r\nThe attack stands out as unique because, unlike other spyware operations that typically target individuals, this\r\ncampaign appears to have focused on compromising an entire military institution through a primitive but\r\ndevastating phishing attack using Android spyware.\r\nThis case shows that smartphone espionage doesn’t need costly zero-day exploits or advanced spyware. Off-the-shelf tools like Android SpyMax, paired with smart phishing and social engineering, can produce high-impact\r\nresults. Even military targets can be compromised using cheap, widely available tools delivered through trusted\r\nchannels.\r\nIoC\r\nKudos to apklab.io.\r\nFiles\r\nd83204a01d3c6f14096f6fe1b59e3f11e8f2c6fb2736792febffb1701fe9a5bc\r\nc82aa80d45022ae7f009e82586e34f990288625c1c876c85e07df74ab3136450\r\n28fef58c7817926cf7dc0f44e92c1e6716d125b2675e753d415dafe8e7094b37\r\nhttps://www.mobile-hacker.com/2025/06/05/analysis-of-spyware-that-helped-to-compromise-a-syrian-army-from-within/#google_vignette\r\nPage 8 of 9\n\n60ca970a774c5ff1ada52170857989721158064b932e999714bff7f4bd8b570c\r\n2c1aa8139f55b6566ff8fcb88efccd169040b8cff932683e8d4e1401f9c64644\r\ndb041da97c1f30a6fc7765994b556839f8550774af1662ae0ab105e2fc324487\r\nNetwork\r\nsyr1[.]store\r\nsyr1[.]online\r\nwest2[.]shop\r\nSource: https://www.mobile-hacker.com/2025/06/05/analysis-of-spyware-that-helped-to-compromise-a-syrian-army-from-within/#google_vign\r\nette\r\nhttps://www.mobile-hacker.com/2025/06/05/analysis-of-spyware-that-helped-to-compromise-a-syrian-army-from-within/#google_vignette\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.mobile-hacker.com/2025/06/05/analysis-of-spyware-that-helped-to-compromise-a-syrian-army-from-within/#google_vignette"
	],
	"report_names": [
		"#google_vignette"
	],
	"threat_actors": [],
	"ts_created_at": 1775434439,
	"ts_updated_at": 1775791252,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a687d5154b466bc7eb655cec3c81e4278ac0a82c.pdf",
		"text": "https://archive.orkl.eu/a687d5154b466bc7eb655cec3c81e4278ac0a82c.txt",
		"img": "https://archive.orkl.eu/a687d5154b466bc7eb655cec3c81e4278ac0a82c.jpg"
	}
}