ASO RAT: Arabic-Language Android Surveillance Platform Targeting Syria
Essential information
- Published
- 13/04/2026 17:05
- Modified
- 13/04/2026 15:48
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- android apk-builder arabic-language aso rat c2-infrastructure cve-2023-44487 cve-2025-23419 ddns mobile-malware rat rat-as-a-service surveillance syria
- Tags
- 2026-04-13 CVE-2023-44487 CVE-2025-23419 android apk-builder arabic-language aso rat c2 infrastructure ddns mobile malware rat rat-as-a-service surveillance syria
- Related entities
- 2 vulnerabilities (cve), 23 indicators, 23 observables, 8 techniques (mitre), 1 malware, 8 others
Description
ASO RAT is a custom Android Remote Access Trojan featuring comprehensive device compromise capabilities including SMS interception, camera access, GPS tracking, call logging, file exfiltration, and DDoS functionality. Operating from Frankfurt-based infrastructure with connections to Syria, the platform disguises itself as PDF readers and Syrian government applications. Investigation revealed two active C2 servers, four DDNS domains, eight malicious APK samples with the newest achieving 0/66 antivirus detections, and complete reverse-engineered panel architecture exposing 21 API endpoints. The multi-user panel with role-based access control suggests RAT-as-a-Service operations. Infrastructure includes historical VPS providers and Starlink satellite connections geolocated to Syria. The developer's Arabic-language interface and Syria-themed lures indicate targeting of opposition figures, journalists, and military personnel within the Syrian conflict theater.