216.73.216.133

ASO RAT: Arabic-Language Android Surveillance Platform Targeting Syria

· Published 13/04/2026 17:05 · Modified 13/04/2026 15:48

Export JSON

Essential information

Published
13/04/2026 17:05
Modified
13/04/2026 15:48
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
android apk-builder arabic-language aso rat c2-infrastructure cve-2023-44487 cve-2025-23419 ddns mobile-malware rat rat-as-a-service surveillance syria
Tags
2026-04-13 CVE-2023-44487 CVE-2025-23419 android apk-builder arabic-language aso rat c2 infrastructure ddns mobile malware rat rat-as-a-service surveillance syria
Related entities
2 vulnerabilities (cve), 23 indicators, 23 observables, 8 techniques (mitre), 1 malware, 8 others

Description

is a custom Remote Access Trojan featuring comprehensive device compromise capabilities including SMS interception, camera access, GPS tracking, call logging, file exfiltration, and DDoS functionality. Operating from Frankfurt-based infrastructure with connections to , the platform disguises itself as PDF readers and Syrian government applications. Investigation revealed two active C2 servers, four domains, eight malicious APK samples with the newest achieving 0/66 antivirus detections, and complete reverse-engineered panel architecture exposing 21 API endpoints. The multi-user panel with role-based access control suggests operations. Infrastructure includes historical VPS providers and Starlink satellite connections geolocated to . The developer's interface and -themed lures indicate targeting of opposition figures, journalists, and military personnel within the Syrian conflict theater.

External references